Summary
PickleScan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.
Details
The vulnerability stems from the logic in the scan_bytes function within picklescan/scanner.py, specifically around line 463: https://github.com/mmaitre314/picklescan/blob/75e60f2c02f3f1a029362e6f334e1921392dcf60/src/picklescan/scanner.py#L463
The code first checks if the file extension (file_ext) is in the pytorch_file_extension list. If it is (e.g., .bin), the scan_pytorch function is called. When a standard pickle file is encountered with a PyTorch extension, scan_pytorch will likely fail. Critically, the code then returns an Error without attempting to analyze the file as a standard pickle using scan_pickle_bytes. This prevents the detection of malicious payloads within such files.
PoC
-
Download a malicious pickle file with a standard .pkl extension:
wget https://huggingface.co/kzanki/regular_model/resolve/main/model.pkl?download=true -O model.pkl
-
Scan the file with PickleScan (correct detection):
/home/davfr/Tests/HF/dangerous_model/model.pkl: dangerous import 'builtins exec' FOUND
----------- SCAN SUMMARY -----------
Scanned files: 1
Infected files: 1
Dangerous globals: 1
-
Rename the file to use a PyTorch-related extension (e.g., .bin):
cp model.pkl model.bin
-
Scan the renamed file with PickleScan:
Observed Result: PickleScan fails and reports an error related to PyTorch parsing but does not detect the malicious pickle content.
Expected Result: PickleScan should recognize the file as a standard pickle format despite the .bin extension and scan it accordingly, identifying the malicious content.
Impact
Severity: High
Affected Users: Any organization or individual relying on PickleScan to ensure the safety of PyTorch models or other files that might contain embedded pickle objects. This includes users downloading pre-trained models or receiving files that could potentially contain malicious code.
Impact Details: Attackers can craft malicious pickle payloads and disguise them within files using common PyTorch extensions (like .bin, .pt, etc.). These files would then bypass PickleScan's detection mechanism, allowing the malicious code to execute when the file is loaded by a vulnerable application or user.
Potential Exploits: This vulnerability significantly weakens the security provided by PickleScan. It opens the door to various supply chain attacks, where malicious actors could distribute backdoored models through platforms like Hugging Face, PyTorch Hub, or even through direct file sharing. Users trusting PickleScan would be unknowingly exposed to these threats.
Recommendations
The most effective solution is to modify the scanning logic to ensure that standard pickle scanning is attempted as a fallback mechanism when PyTorch scanning fails or is not applicable. A suggested approach is:
Attempt PyTorch Scan: If the file extension matches a known PyTorch extension, attempt to scan it as a PyTorch object.
Fallback to Pickle Scan: Regardless of the success or failure of the PyTorch scan (or if the extension is not a PyTorch extension), always attempt to scan the file as a standard pickle. This ensures that files with misleading extensions are still analyzed for potential pickle-based vulnerabilities.
Suggested Patch
--- a/src/picklescan/scanner.py
+++ b/src/picklescan/scanner.py
@@ -462,19 +462,28 @@ def scan_bytes(data: IO[bytes], file_id, file_ext: Optional[str] = None) -> Scan
if file_ext is not None and file_ext in pytorch_file_extensions:
try:
return scan_pytorch(data, file_id)
except InvalidMagicError as e:
- _log.error(f"ERROR: Invalid magic number for file {e}")
- return ScanResult([], scan_err=True)
+ _log.warning(f"PyTorch scan failed for {file_id} with extension {file_ext}: {e}")
+ # Don't return error here - continue to other scan methods
elif file_ext is not None and file_ext in numpy_file_extensions:
- return scan_numpy(data, file_id)
- else:
- is_zip = zipfile.is_zipfile(data)
- data.seek(0)
- if is_zip:
- return scan_zip_bytes(data, file_id)
- elif is_7z_file(data):
- return scan_7z_bytes(data, file_id)
- else:
- return scan_pickle_bytes(data, file_id)
+ try:
+ return scan_numpy(data, file_id)
+ except Exception as e:
+ _log.warning(f"NumPy scan failed for {file_id}: {e}")
+
+ # Always attempt additional format checks as fallback
+ data.seek(0) # Reset stream position
+ is_zip = zipfile.is_zipfile(data)
+ data.seek(0)
+ if is_zip:
+ return scan_zip_bytes(data, file_id)
+ elif is_7z_file(data):
+ return scan_7z_bytes(data, file_id)
+ else:
+ # FIX: Always attempt pickle scanning as fallback
+ # This prevents the vulnerability where pickle files with wrong extensions bypass detection
+ return scan_pickle_bytes(data, file_id)
Summary
PickleScan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.
Details
The vulnerability stems from the logic in the scan_bytes function within picklescan/scanner.py, specifically around line 463: https://github.com/mmaitre314/picklescan/blob/75e60f2c02f3f1a029362e6f334e1921392dcf60/src/picklescan/scanner.py#L463
The code first checks if the file extension (file_ext) is in the pytorch_file_extension list. If it is (e.g., .bin), the scan_pytorch function is called. When a standard pickle file is encountered with a PyTorch extension, scan_pytorch will likely fail. Critically, the code then returns an Error without attempting to analyze the file as a standard pickle using scan_pickle_bytes. This prevents the detection of malicious payloads within such files.
PoC
Download a malicious pickle file with a standard .pkl extension:
wget https://huggingface.co/kzanki/regular_model/resolve/main/model.pkl?download=true -O model.pkl
Scan the file with PickleScan (correct detection):
/home/davfr/Tests/HF/dangerous_model/model.pkl: dangerous import 'builtins exec' FOUND
----------- SCAN SUMMARY -----------
Scanned files: 1
Infected files: 1
Dangerous globals: 1
Rename the file to use a PyTorch-related extension (e.g., .bin):
cp model.pkl model.bin
Scan the renamed file with PickleScan:
Observed Result: PickleScan fails and reports an error related to PyTorch parsing but does not detect the malicious pickle content.
Expected Result: PickleScan should recognize the file as a standard pickle format despite the .bin extension and scan it accordingly, identifying the malicious content.
Impact
Severity: High
Affected Users: Any organization or individual relying on PickleScan to ensure the safety of PyTorch models or other files that might contain embedded pickle objects. This includes users downloading pre-trained models or receiving files that could potentially contain malicious code.
Impact Details: Attackers can craft malicious pickle payloads and disguise them within files using common PyTorch extensions (like .bin, .pt, etc.). These files would then bypass PickleScan's detection mechanism, allowing the malicious code to execute when the file is loaded by a vulnerable application or user.
Potential Exploits: This vulnerability significantly weakens the security provided by PickleScan. It opens the door to various supply chain attacks, where malicious actors could distribute backdoored models through platforms like Hugging Face, PyTorch Hub, or even through direct file sharing. Users trusting PickleScan would be unknowingly exposed to these threats.
Recommendations
The most effective solution is to modify the scanning logic to ensure that standard pickle scanning is attempted as a fallback mechanism when PyTorch scanning fails or is not applicable. A suggested approach is:
Attempt PyTorch Scan: If the file extension matches a known PyTorch extension, attempt to scan it as a PyTorch object.
Fallback to Pickle Scan: Regardless of the success or failure of the PyTorch scan (or if the extension is not a PyTorch extension), always attempt to scan the file as a standard pickle. This ensures that files with misleading extensions are still analyzed for potential pickle-based vulnerabilities.
Suggested Patch