GHSA-vqmv-47xg-9wpr
Picklescan missing detection when calling pty.spawn
Details
### Summary Using pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system.
### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to `pty.spawn` function in the `__reduce__` method. Then the victim attempts to use picklescan to scan the pickle file for issues and sees this - ``` ----------- SCAN SUMMARY ----------- Scanned files: 1 Infected files: 0 Dangerous globals: 0 ``` The victim proceeds to load the pickle file and execute attacker-injected arbitrary code.
### PoC ``` class PtyExploit: def __reduce__(self): return (pty.spawn, (["/bin/sh", "-c", "id; exit"],)) ```
### Impact **Who is impacted?** Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. **What is the impact?** Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. **Supply Chain Attack**: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.
### Collaborators https://github.com/ajohnston9 https://github.com/geo-lit
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vqmv-47xg-9wpr [WEB]
- https://github.com/mmaitre314/picklescan/pull/53 [WEB]
- https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab [WEB]
- https://github.com/mmaitre314/picklescan [PACKAGE]
- https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33 [WEB]