README.md

ModelScan PickleUnsafeOpScan Bypass PoC

Steps to Reproduce

# 1. Scan with ModelScan
modelscan -p model.bin
# Output: Issues: 0, Errors: 0, Skipped: 0

# 2. Load the model
python3 -c "import pickle; pickle.load(open('model.bin','rb'))"

# 3. Check for RCE
cat /tmp/modelscan_bypass.txt
# Output: MODELSCAN_IMPORTLIB_BYPASS_SUCCESS

Technical Details

ModelScan's PickleUnsafeOpScan uses a hardcoded blacklist of unsafe modules in unsafe_globals. The importlib module is NOT in this blacklist, allowing importlib.import_module() to be used in pickle payloads without detection.

When the pickle is deserialized, importlib.import_module('malice') imports the companion malice.py file, executing arbitrary Python code at module import time.