Picklescan Unsafe Deserialization Vulnerability Allowing Remote Code Execution

A vulnerability in Picklescan versions prior to 0.0.21 allows for unsafe deserialization that can bypass security checks and lead to remote code execution. The issue arises because Picklescan does not recognize 'pip' as an unsafe global. An attacker could create a malicious model that uses Python's Pickle module to download and install a harmful package from PyPI or GitHub using 'pip.main()'. When this malicious model is scanned with Picklescan, it would be incorrectly flagged as safe.

Impact

Exploitation of this vulnerability allows for remote code execution on the system that deserializes the malicious pickle file. Additionally, it can be used as a supply chain attack by distributing infected pickle files across machine learning models, APIs, or saved Python objects, all while bypassing Picklescan's security checks.

Reproduction

To reproduce this vulnerability, first create a malicious Python package that includes a 'setup.py' file designed to execute arbitrary code, such as a shell script. Upload this package to a repository or PyPI. Then, craft a pickle file that, when deserialized, calls 'pip.main()' to install the malicious package. This can be done by creating a class that implements the 'reduce' method to return 'pip.main' with the appropriate installation commands. Once the pickle file is created, it can be deserialized in a Python environment, triggering the execution of the malicious package.

Remediation

Users can upgrade to Picklescan version 0.0.22 or later, which addresses this vulnerability by adding 'pip' to the list of restricted globals.