Madgetr

**Name of the Vulnerable Software and Affected Versions** PickleScan versions prior to 0.0.23 **Description** The issue allows for a ZIP archive manipulation attack, causing PickleScan to crash when extracting and scanning PyTorch model archives. An attacker can modify the filename in the ZIP header, while keeping the original filename in the directory listing, to make PickleScan raise a BadZipFile error. However, PyTorch's ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection. **Recommendations** For versions prior to 0.0.23, update to version 0.0.23 or later to resolve the issue. As a temporary workaround, consider restricting the use of PickleScan to scan PyTorch model archives until a patch is available. Avoid using PickleScan to extract and scan ZIP archives that may contain malicious payloads.

**Nome do Software Vulnerável e Versões Afetadas** Versões do PickleScan anteriores à 0.0.23 **Descrição** A vulnerabilidade permite que um atacante incorpore arquivos pickle maliciosos dentro de arquivos de modelo do PyTorch, modificando bits de flag específicos do arquivo ZIP. Isso pode levar à execução arbitrária de código ao carregar um modelo comprometido, pois os arquivos maliciosos permanecem indetectáveis pelo PickleScan, mas são carregados com sucesso pela função torch.load() do PyTorch. **Recomendações** Para versões do PickleScan anteriores à 0.0.23, atualize para a versão 0.0.23 ou posterior para resolver o problema. Como medida de contorno temporária, considere inspecionar manualmente os cabeçalhos dos arquivos ZIP em busca de bits de flag modificados antes de carregar modelos do PyTorch. Restrinja o acesso a modelos potencialmente comprometidos para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** picklescan versions prior to 0.0.21 **Description** The issue allows an attacker to craft a malicious model that uses Pickle to pull in a malicious PyPI package via `pip.main()`. This is possible because 'pip' is not treated as an unsafe global, causing the model to pass security checks and appear safe when scanned, even though it could be problematic. **Recommendations** For picklescan versions prior to 0.0.21, update to version 0.0.21 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `pip.main()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** picklescan versions prior to 0.0.22 **Description** The issue arises because picklescan only considers standard pickle file extensions during its vulnerability scan. An attacker can craft a malicious model that uses Pickle and includes a malicious pickle file with a non-standard file extension. Since the malicious pickle file inclusion is not considered part of the scope of picklescan, the file would pass security checks and appear safe, when it could instead prove problematic. This vulnerability can lead to arbitrary code execution when a model is loaded, potentially allowing supply-chain attacks by embedding malicious code in PyTorch models that remains undetected but executes when the model is loaded. **Recommendations** 1. For versions prior to 0.0.22, scan all files in the ZIP archive instead of relying on file extensions. 2. For versions prior to 0.0.22, detect hidden pickle references by performing static analysis to identify `torch.load(pickle file=...)` calls inside `data.pkl`. 3. For versions prior to 0.0.22, implement magic byte detection to inspect file contents for pickle magic bytes (`x80x05`) instead of relying on extensions. 4. For versions prior to 0.0.22, block the following globals: `torch.load` and `functools.partial`.