picklescan - Remote Code Execution via torch.jit.unsupported_tensor_ops.execWrapper

An attacker crafts a malicious pickle file where the `__reduce__` method returns `torch.jit.unsupported_tensor_ops.execWrapper` as the callable, passing attacker-controlled code as arguments [ref_id=1]. The victim runs picklescan on the file, which reports it as safe because `execWrapper` is not in the dangerous-function list. When the victim subsequently calls `pickle.load()`, the `execWrapper` function executes the attacker's code, leading to remote code execution.

The vulnerability resides in picklescan's detection logic, which does not flag `torch.jit.unsupported_tensor_ops.execWrapper` as a dangerous reduce function. The advisory [ref_id=1] states that picklescan before version 0.0.28 fails to detect this PyTorch library function when it is used in a pickle file's `__reduce__` method.

The patch (picklescan 0.0.28) adds `torch.jit.unsupported_tensor_ops.execWrapper` to the list of dangerous functions that picklescan flags. This ensures that any pickle file whose `__reduce__` method returns this callable is detected as malicious before the file is loaded. The advisory [ref_id=1] does not include a diff, but the version bump from 0.0.27 to 0.0.28 is the published fix.

```python import torch.jit.unsupported_tensor_ops as unsupported_tensor_ops

class EvilTorchJitUnsupportedTensorOpsExecWrapper: def __reduce__(self): code = '__import__("os").system("whoami")' glob = {} loc = {} return unsupported_tensor_ops.execWrapper, (code, glob, loc) ``` The PoC from [ref_id=1] shows a class whose `__reduce__` method returns `execWrapper` with attacker-controlled code. When this object is pickled and later loaded via `pickle.load()`, the code executes.