Hugging Face's logo

xiaoyaoes
/
modelscan-joblib-bypass

Joblib
Model card Files
xet
 Community

ModelScan Joblib Bypass β€” 3 Pickle-Based RCE Techniques

Three novel techniques that bypass modelscan's pickle scanner in JOBLIB format.

Bypass Summary

# Technique Module unsafe_globals? Modelscan
1 PyDLL PyRun_SimpleString ctypes.PyDLL NO No issues
2 importlib + methodcaller importlib, operator.methodcaller NO No issues
3 code.InteractiveInterpreter code.InteractiveInterpreter NO No issues

PoC Files

  • exploit_pydll.joblib β€” Uses ctypes.PyDLL(None).PyRun_SimpleString() to execute arbitrary Python via CPython C API
  • exploit_importlib.joblib β€” Uses importlib.import_module('os') + operator.methodcaller('system', cmd) for shell RCE
  • exploit_code_interpreter.joblib β€” Uses code.InteractiveInterpreter().runsource() to execute arbitrary Python

Verification 

modelscan scan -p exploit_pydll.joblib
# -> "No issues found!"

Why They Work

modelscan's unsafe_globals blocklist does NOT include:

  • ctypes β†’ PyDLL/PyRun_SimpleString
  • importlib β†’ import_module
  • operator.methodcaller (only attrgetter is blocked)
  • code β†’ InteractiveInterpreter

All three are standard library modules that can achieve full RCE.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support