mmaitre314 PickleScan Protection Mechanism Failure Vulnerability Allowing Unsafe Globals Bypass

A protection mechanism failure vulnerability has been identified in mmaitre314 PickleScan versions through 0.0.30. This vulnerability allows remote attackers to bypass the application's unsafe globals check, potentially leading to arbitrary code execution. The issue arises because the scanner performs an exact match for module names against a list of unsafe globals. Attackers can exploit this by using submodules of dangerous packages to load malicious payloads. For example, 'asyncio.unix_events' can be used instead of 'asyncio', circumventing the safety checks. Once the malicious payload is loaded, it can execute harmful code on the user's system.

Impact

Exploitation of this vulnerability allows attackers to bypass PickleScan's safety checks and execute arbitrary code on the user's system. This is particularly concerning for organizations or individuals using PickleScan to analyze files for malicious content, as it could lead to the very threats they are trying to mitigate.

Reproduction

To reproduce this vulnerability, download a PyTorch model that includes the 'asyncio' package, such as one from the Hugging Face repository. After downloading the model, use PickleScan to analyze it, specifying the file path and the globals option. PickleScan should flag the file as malicious due to the presence of 'asyncio', but the vulnerability allows it to bypass this check, demonstrating the flaw.

Remediation

Users can update to PickleScan version 0.0.31 or later, where this vulnerability has been patched.