View Issue Details

IDProjectCategoryView StatusLast Update
0004810PathGeneralpublic2022-01-25 15:14
Reportereldstal Assigned Tosliptonic  
Status resolvedResolutionfixed 
Product Version0.20 
Summary0004810: Security Vulnerability in
DescriptionAn external command execution by the PathSanity script is vulnerable to OS command injection when applied to a crafted input file.

This allows an attacker to execute arbitrary commands on the victim's system.
Steps To ReproduceAttacker:
1. Start with an FCStd document with some content
2. Open the Path workbench
3. Create a new Path Job object using the toolbar, assign it to any model.
4. Edit the new Path Job, in the [i]Output[i] tab, set [i]Output File[i] to ./$(galculator)
5. Save the document

1. Open the evil document
2. Open the Path workbench
3. Run the Sanity check on the evil Path Job

Result: galculator is launched by FreeCAD.
Additional InformationImpact
Arbitrary Code Execution

The exploit sequence described above is somewhat unreliable. After working once, the PathSanity script tends to fail entirely until a new path is created. This appears to be a problem with the script itself, not related to the security vulnerability.

The invocation of asciidoctor at contains unsanitized text taken from the input file. Since the command is invoked using os.system(), there is no separation between command and parameter. Furthermore, the command is passed through the OS shell, which allows for more ways of injecting commands.

Proposed Mitigation
Use subprocess.Popen() instead of os.system(). This allows the command to be separated from its parameters, and prevents injection of shell commands using substitution methods (such as the $(galculator) trick demonstrated above.
TagsPath, security
FreeCAD InformationOS: Arch Linux (i3/i3)
Word size of FreeCAD: 64-bit
Version: 0.20.26683 (Git) AppImage
Build type: Release
Branch: (HEAD detached at 0388fbc)
Hash: 0388fbc98d49d874fb341b9037a743bc691d501f
Python version: 3.9.7
Qt version: 5.12.9
Coin version: 4.0.0
OCC version: 7.5.3
Locale: English/United States (en_US)



2022-01-25 12:58

reporter   ~0016287

This vulnerability has been assigned CVE-2021-45845


2022-01-25 15:07

manager   ~0016292

This was corrected with PR #5306. I think I used the 'fixes' tag wrong.


2022-01-25 15:09

manager   ~0016293


2022-01-25 15:14

administrator   ~0016294

@eldstal that appimage is now dated btw

Issue History

Date Modified Username Field Change
2021-12-23 15:48 eldstal New Issue
2021-12-23 15:48 eldstal Steps to Reproduce Updated
2021-12-23 15:56 eldstal Tag Attached: security
2021-12-23 15:56 eldstal Tag Attached: Path
2021-12-23 17:54 eldstal Product Version 0.19 => 0.20
2021-12-28 22:36 chennes Project File formats => Path
2021-12-28 22:36 chennes Category Bug => General
2022-01-25 12:58 eldstal Note Added: 0016287
2022-01-25 15:07 sliptonic Note Added: 0016292
2022-01-25 15:09 sliptonic Assigned To => sliptonic
2022-01-25 15:09 sliptonic Status new => resolved
2022-01-25 15:09 sliptonic Resolution open => fixed
2022-01-25 15:09 sliptonic Note Added: 0016293
2022-01-25 15:14 Kunda1 Note Added: 0016294