GHSL-2020-339: Command Injection vulnerability in OMF

Coordinated Disclosure Timeline

• 12/15/2020: Reported to david.pinney@nreca.coop
• 03/15/2021: Disclosure deadline reached.
• 04/14/2021: Publication as per our disclosure policy.

Summary

A Command Injection vulnerability has been found in Open Modeling Framework (OMF)

Product

https://github.com/dpinney/omf

Tested Version

Latest commit at the time of reporting (December 15, 2020).

Details

If an attacker manages to send a POST request to /rawImport/<owner>, they will be able to inject their own shell command by controlling the networkNameR form field.

This only seems to require 2 things (see request setup)

1. Attacker is logged in

2. Attacker is using its username as <owner> in the URL. (see write_permission_function and User.cu())

Form field networkNameR is turned into a path here, and is then passed as the inputStr argument to _rawToMat after a few steps. Since True is passed to the filePath argument, we make the assignment rawfile_name = inputStr, and then use rawfile_name in a subprocess.Popen call which has shell=True.

Attacker should be able to use a payload like ' --bad-arg-that-will-hopefully-error-octave-cli || my-evil-shellcode # as an exploit. (a file is saved using this path, which should not be a problem).

Notice that the windows version of this call should also be vulnerable.

Impact

Remote code execution

Resources

For testing purposes, you can create your own account at https://www.omf.coop/

Credit

This issue was discovered and reported by the CodeQL Python team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-339 in any communication regarding this issue.