Coordinated Disclosure Timeline
- 12/15/2020: Reported to email@example.com
- 03/15/2021: Disclosure deadline reached.
- 04/14/2021: Publication as per our disclosure policy.
A Command Injection vulnerability has been found in Open Modeling Framework (OMF)
Latest commit at the time of reporting (December 15, 2020).
The whole data-flow can be seen on https://lgtm.com/projects/g/dpinney/omf/snapshot/aea8eee06554459da562b4afa10a2635b1435fe3/files/omf/network.py?sort=name&dir=ASC&mode=heatmap#xca129c3bea89f223:1 – I will try to highlight the important parts
If an attacker manages to send a
POST request to
/rawImport/<owner>, they will be able to inject their own shell command by controlling the
networkNameR form field.
This only seems to require 2 things (see request setup)
Attacker is logged in
networkNameR is turned into a path here, and is then passed as the
inputStr argument to
_rawToMat after a few steps. Since True is passed to the
filePath argument, we make the assignment
rawfile_name = inputStr, and then use
rawfile_name in a
subprocess.Popen call which has
Attacker should be able to use a payload like
' --bad-arg-that-will-hopefully-error-octave-cli || my-evil-shellcode # as an exploit. (a file is saved using this path, which should not be a problem).
Notice that the windows version of this call should also be vulnerable.
Remote code execution
For testing purposes, you can create your own account at https://www.omf.coop/
This issue was discovered and reported by the CodeQL Python team.
You can contact the GHSL team at
firstname.lastname@example.org, please include
GHSL-2020-339 in any communication regarding this issue.