Package Instance

Picklescan failed to detect to some unsafe global function in Numpy library
An unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan and execute arbitrary code during deserialization. This can be exploited by import some built-in function in Numpy library that indrectly call some dangerous function like exec() to execute some python code as a parameter, which the attacker can import dangerous library inside like os library and execute arbitrary OS commands.

Picklescan vulnerable to Arbitrary File Writing
Picklescan has got open() and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files.

Picklescan missing detection when calling numpy.f2py.crackfortran.getlincoef
An unsafe deserialization vulnerability allows an attacker to execute arbitrary code on the host when loading a malicious pickle payload from an untrusted source.

Picklescan missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_cprofile
Using torch.utils.bottleneck.__main__.run_cprofile
function, which is a pytorch library function to execute remote pickle file.

Duplicate Advisory: Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.

### Original Description
An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.

Picklescan has a missing detection when calling built-in python trace.Trace.run
Using trace.Trace.run, which is a built-in python library function to execute remote pickle file.

Picklescan has a missing detection when calling built-in python profile.Profile.run
Using profile.Profile.run, which is a built-in python library function to execute remote pickle file.

Picklescan does not block ctypes
Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to
* Load DLLs
* Call C functions directly
* Manipulate memory raw pointers.

This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.

This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected

Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran.myeval
Picklescan uses numpy.f2py.crackfortran.myeval, which is a function in numpy to execute remote pickle files.

Picklescan has a missing detection when calling built-in python trace.Trace.runctx
Using trace.Trace.runctx, which is a built-in python library function to execute remote pickle file.

picklescan has Arbitrary file read using `io.FileIO`
Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.

A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). 

When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.