View Issue Details

IDProjectCategoryView StatusLast Update
0004809File formatsBugpublic2021-12-28 15:17
Reportereldstal Assigned Towmayer  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformLinux 
Product Version0.20 
Fixed in Version0.20 
Summary0004809: Security vulnerability in DWG import when using ODA file converter
DescriptionWhen FreeCAD is configured to use the ODA file converter, a DWG file with a crafted filename is able to trigger a Remote Code Execution vulnerability.

This allows an attacker to execute arbitrary commands on the victim's system.
Steps To Reproduce1. Configure DWG import using the ODA file converter
2. Create and import the proof-of-concept file
The PoC is an empty file, which can be created using the following command:

touch '";galculator;ls ".dwg'

Change galculator to any shell command you wish to execute.

3. galculator is launched by FreeCAD during DWG import.
Additional InformationCause
The first parameter to subprocess.call() at importDWG.py:225 contains unsanitized user input (the filename of the DWG file). By prematurely closing the quotes, the executed command line can be modified by an attacker.

Proposed mitigation:
subprocess.Popen() is a better option to invoke the converter, since the binary can be specified by FreeCAD separately from arguments. In addition, this bypasses the system shell.

A forum thread has been opened here.
TagsDWG, file format, import, security
FreeCAD InformationOS: Arch Linux (i3/i3)
Word size of FreeCAD: 64-bit
Version: 0.20.26683 (Git) AppImage
Build type: Release
Branch: (HEAD detached at 0388fbc)
Hash: 0388fbc98d49d874fb341b9037a743bc691d501f
Python version: 3.9.7
Qt version: 5.12.9
Coin version: 4.0.0
OCC version: 7.5.3
Locale: English/United States (en_US)

Activities

eldstal

2021-12-23 00:41

reporter  

dwg_oda_rce.zip (192 bytes)

eldstal

2021-12-23 12:22

reporter   ~0016129

A very similar vulnerability is also present in the corresponding output function, which also invokes ODA converter using subprocess.call().
This is less severe, since the attacker must control the output filename. Try exporting to one of these filenames to verify:


`galculator`.dwg
";galculator;ls ".dwg
$(galculator).dwg

wmayer

2021-12-28 15:17

administrator   ~0016131

https://github.com/FreeCAD/FreeCAD/commit/1742d7ff82af1653253c4a4183c262c9af3b26d6

Issue History

Date Modified Username Field Change
2021-12-23 00:41 eldstal New Issue
2021-12-23 00:41 eldstal Tag Attached: DWG
2021-12-23 00:41 eldstal Tag Attached: file format
2021-12-23 00:41 eldstal Tag Attached: import
2021-12-23 00:41 eldstal Tag Attached: security
2021-12-23 00:41 eldstal File Added: dwg_oda_rce.zip
2021-12-23 12:22 eldstal Note Added: 0016129
2021-12-23 12:24 eldstal Additional Information Updated
2021-12-23 17:54 eldstal Product Version 0.19 => 0.20
2021-12-28 15:17 wmayer Assigned To => wmayer
2021-12-28 15:17 wmayer Status new => closed
2021-12-28 15:17 wmayer Resolution open => fixed
2021-12-28 15:17 wmayer Fixed in Version => 0.20
2021-12-28 15:17 wmayer Note Added: 0016131