metadata
tags:
- security-research
- modelscan-bypass
modelscan Bypass: sqlite3 Database-Mediated File Write + Native Code RCE
Security Research — Responsible Disclosure
This repository contains proof-of-concept pickle files demonstrating that modelscan v0.8.8
fails to detect malicious payloads using sqlite3.connect() + operator.methodcaller().
Files
sqlite3_attach_bypass.pkl— Arbitrary file creation via ATTACH DATABASE (guaranteed to work)sqlite3_rce_bypass.pkl— Native code execution via load_extension (requires extension-enabled Python)
Attack Category
Database-mediated arbitrary file write + native code RCE — novel bypass class.
Scanner Result
modelscan scan -p sqlite3_attach_bypass.pkl
No issues found! 🎉
Root Cause
sqlite3 module is completely absent from modelscan's unsafe_globals blocklist.
operator.methodcaller is also not blocked (only attrgetter is listed).
Impact
- Arbitrary file creation at any writable path
- Attacker-controlled data injection into files
- Native shared library loading (full RCE) via load_extension
- Two-stage chain: combine with _io/pathlib bypass to write .so, then load via sqlite3