Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability in PathSanity.py #6298

Closed
FreeCAD-Bug-Importer opened this issue Feb 7, 2022 · 2 comments
Closed

Security Vulnerability in PathSanity.py #6298

FreeCAD-Bug-Importer opened this issue Feb 7, 2022 · 2 comments
Assignees
Labels
Mod: CAM Related to the CAM/Path Workbench

Comments

@FreeCAD-Bug-Importer
Copy link
Collaborator

Issue imported from https://tracker.freecad.org/view.php?id=4810

  • Reporter: eldstal
  • Date submitted: 12/23/2021
  • FreeCAD version: 0.2
  • Category: General
  • Status: resolved
  • Tags: Path, security

Original report text

An external command execution by the PathSanity script is vulnerable to OS command injection when applied to a crafted input file.

This allows an attacker to execute arbitrary commands on the victim's system.

Additional information

Impact
Arbitrary Code Execution

Caveats
The exploit sequence described above is somewhat unreliable. After working once, the PathSanity script tends to fail entirely until a new path is created. This appears to be a problem with the script itself, not related to the security vulnerability.

Cause
The invocation of asciidoctor at PathSanity.py:467 contains unsanitized text taken from the input file. Since the command is invoked using os.system(), there is no separation between command and parameter. Furthermore, the command is passed through the OS shell, which allows for more ways of injecting commands.

Proposed Mitigation
Use subprocess.Popen() instead of os.system(). This allows the command to be separated from its parameters, and prevents injection of shell commands using substitution methods (such as the $(galculator) trick demonstrated above.

Steps to reproduce

Attacker:

  1. Start with an FCStd document with some content
  2. Open the Path workbench
  3. Create a new Path Job object using the toolbar, assign it to any model.
  4. Edit the new Path Job, in the [i]Output[i] tab, set [i]Output File[i] to ./$(galculator)
  5. Save the document

Victim

  1. Open the evil document
  2. Open the Path workbench
  3. Run the Sanity check on the evil Path Job

Result: galculator is launched by FreeCAD.

FreeCAD Info

OS: Arch Linux (i3/i3)
Word size of FreeCAD: 64-bit
Version: 0.20.26683 (Git) AppImage
Build type: Release
Branch: (HEAD detached at 0388fbc)
Hash: 0388fbc98d49d874fb341b9037a743bc691d501f
Python version: 3.9.7
Qt version: 5.12.9
Coin version: 4.0.0
OCC version: 7.5.3
Locale: English/United States (en_US)

Other bug information

  • Priority: normal
  • Severity: minor
  • Category: General
  • Platform: Linux
  • Updated: 1/25/2022

Discussion from Mantis ticket

Comment by eldstal 2022-01-25 12:58

This vulnerability has been assigned CVE-2021-45845


Comment by sliptonic 2022-01-25 15:07

This was corrected with PR #5306. I think I used the 'fixes' tag wrong.

#5306


Comment by sliptonic 2022-01-25 15:09

#5306


Comment by Kunda1 2022-01-25 15:14

eldstal that appimage is now dated btw

@FreeCAD-Bug-Importer FreeCAD-Bug-Importer added the Mod: CAM Related to the CAM/Path Workbench label Feb 7, 2022
@sliptonic
Copy link
Member

Resolved by PR #5306

@luzpaz
Copy link
Contributor

luzpaz commented Feb 8, 2022

@sliptonic this was backported but hasn't been officially released as a minor release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mod: CAM Related to the CAM/Path Workbench
Projects
None yet
Development

No branches or pull requests

3 participants