File size: 769 Bytes
d5b3716 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | # ModelScan PickleUnsafeOpScan Bypass PoC
## Steps to Reproduce
```bash
# 1. Scan with ModelScan
modelscan -p model.bin
# Output: Issues: 0, Errors: 0, Skipped: 0
# 2. Load the model
python3 -c "import pickle; pickle.load(open('model.bin','rb'))"
# 3. Check for RCE
cat /tmp/modelscan_bypass.txt
# Output: MODELSCAN_IMPORTLIB_BYPASS_SUCCESS
```
## Technical Details
ModelScan's PickleUnsafeOpScan uses a hardcoded blacklist of unsafe modules in `unsafe_globals`. The `importlib` module is NOT in this blacklist, allowing `importlib.import_module()` to be used in pickle payloads without detection.
When the pickle is deserialized, `importlib.import_module('malice')` imports the companion `malice.py` file, executing arbitrary Python code at module import time.
|