MONAI Zip File Extraction Vulnerability Leading to Arbitrary File Overwrite

A path traversal vulnerability allowing arbitrary file writes has been identified in MONAI (Medical Open Network for AI) versions through 1.5.0. The issue arises in the extractall function of the zipfile module, which is used to decompress files. When a Zip file containing malicious content is extracted, it can overwrite system files. Additionally, MONAI's functionality to download Zip content from the internet further broadens the potential for exploitation. As of now, no fixed versions are available.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, with the potential to overwrite critical system files. If the extracted Zip file contains SSH keys or other sensitive information, it could lead to severe security breaches. The vulnerability could also disrupt system services by overwriting essential user files, causing operational failures.

Reproduction

To reproduce this vulnerability, create a malicious Zip file that includes harmful content, such as a file named 'malicious.txt' containing a simple message. Add a system file, like '/etc/passwd', to the Zip archive using a path traversal technique that navigates up the directory structure. After creating the Zip file, upload it to a server and use MONAI's download functionality to retrieve it. Once downloaded, the Zip file is extracted, and the malicious content is written to the root directory, demonstrating the arbitrary file overwrite vulnerability.