skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
April 13, 2021

GHSL-2020-339: Command Injection vulnerability in OMF

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

A Command Injection vulnerability has been found in Open Modeling Framework (OMF)

Product

https://github.com/dpinney/omf

Tested Version

Latest commit at the time of reporting (December 15, 2020).

Details

The whole data-flow can be seen on https://lgtm.com/projects/g/dpinney/omf/snapshot/aea8eee06554459da562b4afa10a2635b1435fe3/files/omf/network.py?sort=name&dir=ASC&mode=heatmap#xca129c3bea89f223:1 – I will try to highlight the important parts

If an attacker manages to send a POST request to /rawImport/<owner>, they will be able to inject their own shell command by controlling the networkNameR form field.

This only seems to require 2 things (see request setup)

  1. Attacker is logged in

  2. Attacker is using its username as <owner> in the URL. (see write_permission_function and User.cu())

Form field networkNameR is turned into a path here, and is then passed as the inputStr argument to _rawToMat after a few steps. Since True is passed to the filePath argument, we make the assignment rawfile_name = inputStr, and then use rawfile_name in a subprocess.Popen call which has shell=True.

Attacker should be able to use a payload like ' --bad-arg-that-will-hopefully-error-octave-cli || my-evil-shellcode # as an exploit. (a file is saved using this path, which should not be a problem).

Notice that the windows version of this call should also be vulnerable.

Impact

Remote code execution

Resources

For testing purposes, you can create your own account at https://www.omf.coop/

Credit

This issue was discovered and reported by the CodeQL Python team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-339 in any communication regarding this issue.