You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An external command execution by the PathSanity script is vulnerable to OS command injection when applied to a crafted input file.
This allows an attacker to execute arbitrary commands on the victim's system.
Additional information
Impact
Arbitrary Code Execution
Caveats
The exploit sequence described above is somewhat unreliable. After working once, the PathSanity script tends to fail entirely until a new path is created. This appears to be a problem with the script itself, not related to the security vulnerability.
Cause
The invocation of asciidoctor at PathSanity.py:467 contains unsanitized text taken from the input file. Since the command is invoked using os.system(), there is no separation between command and parameter. Furthermore, the command is passed through the OS shell, which allows for more ways of injecting commands.
Proposed Mitigation
Use subprocess.Popen() instead of os.system(). This allows the command to be separated from its parameters, and prevents injection of shell commands using substitution methods (such as the $(galculator) trick demonstrated above.
Steps to reproduce
Attacker:
Start with an FCStd document with some content
Open the Path workbench
Create a new Path Job object using the toolbar, assign it to any model.
Edit the new Path Job, in the [i]Output[i] tab, set [i]Output File[i] to ./$(galculator)
Issue imported from https://tracker.freecad.org/view.php?id=4810
Original report text
An external command execution by the PathSanity script is vulnerable to OS command injection when applied to a crafted input file.
This allows an attacker to execute arbitrary commands on the victim's system.
Additional information
Impact
Arbitrary Code Execution
Caveats
The exploit sequence described above is somewhat unreliable. After working once, the PathSanity script tends to fail entirely until a new path is created. This appears to be a problem with the script itself, not related to the security vulnerability.
Cause
The invocation of asciidoctor at PathSanity.py:467 contains unsanitized text taken from the input file. Since the command is invoked using os.system(), there is no separation between command and parameter. Furthermore, the command is passed through the OS shell, which allows for more ways of injecting commands.
Proposed Mitigation
Use subprocess.Popen() instead of os.system(). This allows the command to be separated from its parameters, and prevents injection of shell commands using substitution methods (such as the $(galculator) trick demonstrated above.
Steps to reproduce
Attacker:
Victim
Result: galculator is launched by FreeCAD.
FreeCAD Info
Other bug information
Discussion from Mantis ticket
Comment by eldstal 2022-01-25 12:58
This vulnerability has been assigned CVE-2021-45845
Comment by sliptonic 2022-01-25 15:07
This was corrected with PR #5306. I think I used the 'fixes' tag wrong.
#5306
Comment by sliptonic 2022-01-25 15:09
#5306
Comment by Kunda1 2022-01-25 15:14
eldstal that appimage is now dated btw
The text was updated successfully, but these errors were encountered: