--- tags: - security-research - modelscan-bypass --- # modelscan Bypass: sqlite3 Database-Mediated File Write + Native Code RCE ## Security Research — Responsible Disclosure This repository contains proof-of-concept pickle files demonstrating that modelscan v0.8.8 fails to detect malicious payloads using `sqlite3.connect()` + `operator.methodcaller()`. ### Files - `sqlite3_attach_bypass.pkl` — Arbitrary file creation via ATTACH DATABASE (guaranteed to work) - `sqlite3_rce_bypass.pkl` — Native code execution via load_extension (requires extension-enabled Python) ### Attack Category **Database-mediated arbitrary file write + native code RCE** — novel bypass class. ### Scanner Result ``` modelscan scan -p sqlite3_attach_bypass.pkl No issues found! 🎉 ``` ### Root Cause `sqlite3` module is completely absent from modelscan's `unsafe_globals` blocklist. `operator.methodcaller` is also not blocked (only `attrgetter` is listed). ### Impact - Arbitrary file creation at any writable path - Attacker-controlled data injection into files - Native shared library loading (full RCE) via load_extension - Two-stage chain: combine with _io/pathlib bypass to write .so, then load via sqlite3