View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004809 | File formats | Bug | public | 2021-12-23 00:41 | 2021-12-28 15:17 |
Reporter | eldstal | Assigned To | wmayer | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Linux | ||||
Product Version | 0.20 | ||||
Fixed in Version | 0.20 | ||||
Summary | 0004809: Security vulnerability in DWG import when using ODA file converter | ||||
Description | When FreeCAD is configured to use the ODA file converter, a DWG file with a crafted filename is able to trigger a Remote Code Execution vulnerability. This allows an attacker to execute arbitrary commands on the victim's system. | ||||
Steps To Reproduce | 1. Configure DWG import using the ODA file converter 2. Create and import the proof-of-concept file The PoC is an empty file, which can be created using the following command:
Change galculator to any shell command you wish to execute. 3. galculator is launched by FreeCAD during DWG import. | ||||
Additional Information | Cause The first parameter to subprocess.call() at importDWG.py:225 contains unsanitized user input (the filename of the DWG file). By prematurely closing the quotes, the executed command line can be modified by an attacker. Proposed mitigation: subprocess.Popen() is a better option to invoke the converter, since the binary can be specified by FreeCAD separately from arguments. In addition, this bypasses the system shell. A forum thread has been opened here. | ||||
Tags | DWG, file format, import, security | ||||
FreeCAD Information | OS: Arch Linux (i3/i3) Word size of FreeCAD: 64-bit Version: 0.20.26683 (Git) AppImage Build type: Release Branch: (HEAD detached at 0388fbc) Hash: 0388fbc98d49d874fb341b9037a743bc691d501f Python version: 3.9.7 Qt version: 5.12.9 Coin version: 4.0.0 OCC version: 7.5.3 Locale: English/United States (en_US) | ||||
|
|
|
A very similar vulnerability is also present in the corresponding output function, which also invokes ODA converter using subprocess.call(). This is less severe, since the attacker must control the output filename. Try exporting to one of these filenames to verify: |
|
https://github.com/FreeCAD/FreeCAD/commit/1742d7ff82af1653253c4a4183c262c9af3b26d6 |
Date Modified | Username | Field | Change |
---|---|---|---|
2021-12-23 00:41 | eldstal | New Issue | |
2021-12-23 00:41 | eldstal | Tag Attached: DWG | |
2021-12-23 00:41 | eldstal | Tag Attached: file format | |
2021-12-23 00:41 | eldstal | Tag Attached: import | |
2021-12-23 00:41 | eldstal | Tag Attached: security | |
2021-12-23 00:41 | eldstal | File Added: dwg_oda_rce.zip | |
2021-12-23 12:22 | eldstal | Note Added: 0016129 | |
2021-12-23 12:24 | eldstal | Additional Information Updated | |
2021-12-23 17:54 | eldstal | Product Version | 0.19 => 0.20 |
2021-12-28 15:17 | wmayer | Assigned To | => wmayer |
2021-12-28 15:17 | wmayer | Status | new => closed |
2021-12-28 15:17 | wmayer | Resolution | open => fixed |
2021-12-28 15:17 | wmayer | Fixed in Version | => 0.20 |
2021-12-28 15:17 | wmayer | Note Added: 0016131 |