PrusaSlicer 2.6.1 Arbitrary Code Execution

2024.04.15
Credit: Kamil Brenski
Risk: High
Local: No
Remote: Yes
CVE: CVE-2023-47268
CWE: N/A

# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export # Date: 16/01/2024 # Exploit Author: Kamil Breński # Vendor Homepage: https://www.prusa3d.com # Software Link: https://github.com/prusa3d/PrusaSlicer # Version: PrusaSlicer up to and including version 2.6.1 # Tested on: Windows and Linux # CVE: CVE-2023-47268 ========================================================================================== 1.) 3mf Metadata extension ========================================================================================== PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way. ========================================================================================== 2.) PoC ========================================================================================== For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file: ``` ; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #" ``` Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code. For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry: ``` ; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) " ```


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top