View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004810 | Path | General | public | 2021-12-23 15:48 | 2022-01-25 15:14 |
Reporter | eldstal | Assigned To | sliptonic | ||
Priority | normal | Severity | minor | Reproducibility | sometimes |
Status | resolved | Resolution | fixed | ||
Platform | Linux | ||||
Product Version | 0.20 | ||||
Summary | 0004810: Security Vulnerability in PathSanity.py | ||||
Description | An external command execution by the PathSanity script is vulnerable to OS command injection when applied to a crafted input file. This allows an attacker to execute arbitrary commands on the victim's system. | ||||
Steps To Reproduce | Attacker: 1. Start with an FCStd document with some content 2. Open the Path workbench 3. Create a new Path Job object using the toolbar, assign it to any model. 4. Edit the new Path Job, in the [i]Output[i] tab, set [i]Output File[i] to ./$(galculator) 5. Save the document Victim 1. Open the evil document 2. Open the Path workbench 3. Run the Sanity check on the evil Path Job Result: galculator is launched by FreeCAD. | ||||
Additional Information | Impact Arbitrary Code Execution Caveats The exploit sequence described above is somewhat unreliable. After working once, the PathSanity script tends to fail entirely until a new path is created. This appears to be a problem with the script itself, not related to the security vulnerability. Cause The invocation of asciidoctor at PathSanity.py:467 contains unsanitized text taken from the input file. Since the command is invoked using os.system(), there is no separation between command and parameter. Furthermore, the command is passed through the OS shell, which allows for more ways of injecting commands. Proposed Mitigation Use subprocess.Popen() instead of os.system(). This allows the command to be separated from its parameters, and prevents injection of shell commands using substitution methods (such as the $(galculator) trick demonstrated above. | ||||
Tags | Path, security | ||||
FreeCAD Information | OS: Arch Linux (i3/i3) Word size of FreeCAD: 64-bit Version: 0.20.26683 (Git) AppImage Build type: Release Branch: (HEAD detached at 0388fbc) Hash: 0388fbc98d49d874fb341b9037a743bc691d501f Python version: 3.9.7 Qt version: 5.12.9 Coin version: 4.0.0 OCC version: 7.5.3 Locale: English/United States (en_US) | ||||
|
This vulnerability has been assigned CVE-2021-45845 |
|
This was corrected with PR #5306. I think I used the 'fixes' tag wrong. https://github.com/FreeCAD/FreeCAD/pull/5306 |
|
https://github.com/FreeCAD/FreeCAD/pull/5306 |
|
@eldstal that appimage is now dated btw |
|
This ticket has been migrated to GitHub as issue 6298. |
Date Modified | Username | Field | Change |
---|---|---|---|
2021-12-23 15:48 | eldstal | New Issue | |
2021-12-23 15:48 | eldstal | Steps to Reproduce Updated | |
2021-12-23 15:56 | eldstal | Tag Attached: security | |
2021-12-23 15:56 | eldstal | Tag Attached: Path | |
2021-12-23 17:54 | eldstal | Product Version | 0.19 => 0.20 |
2021-12-28 22:36 | chennes | Project | File formats => Path |
2021-12-28 22:36 | chennes | Category | Bug => General |
2022-01-25 12:58 | eldstal | Note Added: 0016287 | |
2022-01-25 15:07 | sliptonic | Note Added: 0016292 | |
2022-01-25 15:09 | sliptonic | Assigned To | => sliptonic |
2022-01-25 15:09 | sliptonic | Status | new => resolved |
2022-01-25 15:09 | sliptonic | Resolution | open => fixed |
2022-01-25 15:09 | sliptonic | Note Added: 0016293 | |
2022-01-25 15:14 | Kunda1 | Note Added: 0016294 |