View Issue Details

IDProjectCategoryView StatusLast Update
0004809File formatsBugpublic2021-12-28 15:17
Reportereldstal Assigned Towmayer  
Status closedResolutionfixed 
Product Version0.20 
Fixed in Version0.20 
Summary0004809: Security vulnerability in DWG import when using ODA file converter
DescriptionWhen FreeCAD is configured to use the ODA file converter, a DWG file with a crafted filename is able to trigger a Remote Code Execution vulnerability.

This allows an attacker to execute arbitrary commands on the victim's system.
Steps To Reproduce1. Configure DWG import using the ODA file converter
2. Create and import the proof-of-concept file
The PoC is an empty file, which can be created using the following command:

touch '";galculator;ls ".dwg'

Change galculator to any shell command you wish to execute.

3. galculator is launched by FreeCAD during DWG import.
Additional InformationCause
The first parameter to at contains unsanitized user input (the filename of the DWG file). By prematurely closing the quotes, the executed command line can be modified by an attacker.

Proposed mitigation:
subprocess.Popen() is a better option to invoke the converter, since the binary can be specified by FreeCAD separately from arguments. In addition, this bypasses the system shell.

A forum thread has been opened here.
TagsDWG, file format, import, security
FreeCAD InformationOS: Arch Linux (i3/i3)
Word size of FreeCAD: 64-bit
Version: 0.20.26683 (Git) AppImage
Build type: Release
Branch: (HEAD detached at 0388fbc)
Hash: 0388fbc98d49d874fb341b9037a743bc691d501f
Python version: 3.9.7
Qt version: 5.12.9
Coin version: 4.0.0
OCC version: 7.5.3
Locale: English/United States (en_US)



2021-12-23 00:41

reporter (192 bytes)


2021-12-23 12:22

reporter   ~0016129

A very similar vulnerability is also present in the corresponding output function, which also invokes ODA converter using
This is less severe, since the attacker must control the output filename. Try exporting to one of these filenames to verify:

";galculator;ls ".dwg


2021-12-28 15:17

administrator   ~0016131

Issue History

Date Modified Username Field Change
2021-12-23 00:41 eldstal New Issue
2021-12-23 00:41 eldstal Tag Attached: DWG
2021-12-23 00:41 eldstal Tag Attached: file format
2021-12-23 00:41 eldstal Tag Attached: import
2021-12-23 00:41 eldstal Tag Attached: security
2021-12-23 00:41 eldstal File Added:
2021-12-23 12:22 eldstal Note Added: 0016129
2021-12-23 12:24 eldstal Additional Information Updated
2021-12-23 17:54 eldstal Product Version 0.19 => 0.20
2021-12-28 15:17 wmayer Assigned To => wmayer
2021-12-28 15:17 wmayer Status new => closed
2021-12-28 15:17 wmayer Resolution open => fixed
2021-12-28 15:17 wmayer Fixed in Version => 0.20
2021-12-28 15:17 wmayer Note Added: 0016131