Description

Picklescan Bypass is Possible via File Extension Mismatch

Summary

Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.

Details

The vulnerability stems from the logic in the scan_bytes function within picklescan/scanner.py, specifically around line 463: https://github.com/mmaitre314/picklescan/blob/75e60f2c02f3f1a029362e6f334e1921392dcf60/src/picklescan/scanner.py#L463 The code first checks if the file extension (file_ext) is in the pytorch_file_extension list. If it is (e.g., .bin), the scan_pytorch function is called. When a standard pickle file is encountered with a PyTorch extension, scan_pytorch will likely fail. Critically, the code then returns an Error without attempting to analyze the file as a standard pickle using scan_pickle_bytes. This prevents the detection of malicious payloads within such files.

PoC

Download a malicious pickle file with a standard .pkl extension: wget https://huggingface.co/kzanki/regular_model/resolve/main/model.pkl?download=true -O model.pkl

Scan the file with Picklescan (correct detection): /home/davfr/Tests/HF/dangerous_model/model.pkl: dangerous import 'builtins exec' FOUND ----------- SCAN SUMMARY ----------- Scanned files: 1 Infected files: 1 Dangerous globals: 1

Rename the file to use a PyTorch-related extension (e.g., .bin): cp model.pkl model.bin

Scan the renamed file with Picklescan:

Observed Result: Picklescan fails and reports an error related to PyTorch parsing but does not detect the malicious pickle content. Expected Result: Picklescan should recognize the file as a standard pickle format despite the .bin extension and scan it accordingly, identifying the malicious content.

Impact

Severity: High Affected Users: Any organization or individual relying on Picklescan to ensure the safety of PyTorch models or other files that might contain embedded pickle objects. This includes users downloading pre-trained models or receiving files that could potentially contain malicious code. Impact Details: Attackers can craft malicious pickle payloads and disguise them within files using common PyTorch extensions (like .bin, .pt, etc.). These files would then bypass PickleScan's detection mechanism, allowing the malicious code to execute when the file is loaded by a vulnerable application or user. Potential Exploits: This vulnerability significantly weakens the security provided by PickleScan. It opens the door to various supply chain attacks, where malicious actors could distribute backdoored models through platforms like Hugging Face, PyTorch Hub, or even through direct file sharing. Users trusting PickleScan would be unknowingly exposed to these threats. Recommendations The most effective solution is to modify the scanning logic to ensure that standard pickle scanning is attempted as a fallback mechanism when PyTorch scanning fails or is not applicable. A suggested approach is: Attempt PyTorch Scan: If the file extension matches a known PyTorch extension, attempt to scan it as a PyTorch object. Fallback to Pickle Scan: Regardless of the success or failure of the PyTorch scan (or if the extension is not a PyTorch extension), always attempt to scan the file as a standard pickle. This ensures that files with misleading extensions are still analyzed for potential pickle-based vulnerabilities.

Suggested Patch

--- a/src/picklescan/scanner.py
+++ b/src/picklescan/scanner.py
@@ -462,19 +462,28 @@ def scan_bytes(data: IO[bytes], file_id, file_ext: Optional[str] = None) -> Scan
     if file_ext is not None and file_ext in pytorch_file_extensions:
         try:
             return scan_pytorch(data, file_id)
         except InvalidMagicError as e:
-            _log.error(f"ERROR: Invalid magic number for file {e}")...
Show more

Mitigation

Aliases

References