When FreeCAD is configured to use the ODA file converter, a DWG file with a crafted filename is able to trigger a Remote Code Execution vulnerability.
A ticket is open in the bug tracker, since I'm quite certain this needs patching.
Vulnerable Version
FreeCAD_weekly-builds-26683 and older
Steps to reproduce
1. Configure DWG import using the ODA file converter
2. Create and import the proof-of-concept file:
The PoC is an empty file, which can be created on a linux system using the following command:
Code: Select all
touch '";galculator;ls ".dwg'
3. `galculator` is launched by FreeCAD during DWG import.
Cause
The first parameter to subprocess.call() at importDWG.py:225 contains unsanitized user input (the filename of the DWG file). By prematurely closing the quotes, the executed command line can be modified by an attacker.
Impact
Arbitrary code execution
Proposed Mitigation
`subprocess.Popen()` is a better option to invoke the converter, since the binary can be specified by FreeCAD separately from arguments. In addition, this bypasses the system shell.
A similar flaw is present in the DWG export using ODA file converter, but this is less serious as the vector is the output filename. To verify this, try loading any project and export to a filename on one of these forms:
Code: Select all
`galculator`.dwg
";galculator;ls ".dwg
$(galculator).dwg
This vulnerability is only exploitable by the filename of opened files. Therefore, be wary of importing files with strange characters (quotes, backslashes, backticks (`), dollar signs, that sort of thing) in their filenames.
Version information
OS: Arch Linux (i3/i3)
Word size of FreeCAD: 64-bit
Version: 0.20.26683 (Git) AppImage
Build type: Release
Branch: (HEAD detached at 0388fbc)
Hash: 0388fbc98d49d874fb341b9037a743bc691d501f
Python version: 3.9.7
Qt version: 5.12.9
Coin version: 4.0.0
OCC version: 7.5.3
Locale: English/United States (en_US)