0004809: Security vulnerability in DWG import when using ODA file converter - FreeCAD Tracker

NOTICE: Migration to GitHub Issues

On Feb 7, 2022, the FreeCAD project migrated all issues from this site at tracker.freecad.org to our main GitHub repository. All new bugs must be submitted there.
This Mantis repository is in read-only mode and will be retained for reference as long as it is useful.

For details please see the announcement at the Forums: https://forum.freecadweb.org/viewtopic.php?p=555883#p555883

ID	Project	Category	View Status	Date Submitted	Last Update

0004809	File formats	Bug	public	2021-12-23 00:41	2021-12-28 15:17

Reporter	eldstal	Assigned To	wmayer
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Linux
Product Version	0.20
Fixed in Version	0.20

Summary	0004809: Security vulnerability in DWG import when using ODA file converter
Description	When FreeCAD is configured to use the ODA file converter, a DWG file with a crafted filename is able to trigger a Remote Code Execution vulnerability. This allows an attacker to execute arbitrary commands on the victim's system.
Steps To Reproduce	1. Configure DWG import using the ODA file converter 2. Create and import the proof-of-concept file The PoC is an empty file, which can be created using the following command: `touch '";galculator;ls ".dwg'` Change galculator to any shell command you wish to execute. 3. galculator is launched by FreeCAD during DWG import.
Additional Information	Cause The first parameter to subprocess.call() at importDWG.py:225 contains unsanitized user input (the filename of the DWG file). By prematurely closing the quotes, the executed command line can be modified by an attacker. Proposed mitigation: subprocess.Popen() is a better option to invoke the converter, since the binary can be specified by FreeCAD separately from arguments. In addition, this bypasses the system shell. A forum thread has been opened here.
Tags	DWG, file format, import, security

FreeCAD Information	OS: Arch Linux (i3/i3) Word size of FreeCAD: 64-bit Version: 0.20.26683 (Git) AppImage Build type: Release Branch: (HEAD detached at 0388fbc) Hash: 0388fbc98d49d874fb341b9037a743bc691d501f Python version: 3.9.7 Qt version: 5.12.9 Coin version: 4.0.0 OCC version: 7.5.3 Locale: English/United States (en_US)

eldstal 2021-12-23 00:41 reporter	dwg_oda_rce.zip (192 bytes)

eldstal 2021-12-23 12:22 reporter ~0016129	A very similar vulnerability is also present in the corresponding output function, which also invokes ODA converter using subprocess.call(). This is less severe, since the attacker must control the output filename. Try exporting to one of these filenames to verify: `galculator`.dwg ";galculator;ls ".dwg $(galculator).dwg

wmayer 2021-12-28 15:17 administrator ~0016131	https://github.com/FreeCAD/FreeCAD/commit/1742d7ff82af1653253c4a4183c262c9af3b26d6

Date Modified	Username	Field	Change
2021-12-23 00:41	eldstal	New Issue
2021-12-23 00:41	eldstal	Tag Attached: DWG
2021-12-23 00:41	eldstal	Tag Attached: file format
2021-12-23 00:41	eldstal	Tag Attached: import
2021-12-23 00:41	eldstal	Tag Attached: security
2021-12-23 00:41	eldstal	File Added: dwg_oda_rce.zip
2021-12-23 12:22	eldstal	Note Added: 0016129
2021-12-23 12:24	eldstal	Additional Information Updated
2021-12-23 17:54	eldstal	Product Version	0.19 => 0.20
2021-12-28 15:17	wmayer	Assigned To	=> wmayer
2021-12-28 15:17	wmayer	Status	new => closed
2021-12-28 15:17	wmayer	Resolution	open => fixed
2021-12-28 15:17	wmayer	Fixed in Version	=> 0.20
2021-12-28 15:17	wmayer	Note Added: 0016131