Vulners
Lucene search
PrusaSlicer 2.6.1 - Arbitrary code execution
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | PrusaSlicer 2.6.1 - Arbitrary code execution Vulnerability | 12 Apr 202400:00 | – | zdt |
 | CVE-2023-47268 | 8 May 202600:00 | – | attackerkb |
 | PrusaSlicer 安全漏洞 | 15 Apr 202400:00 | – | cnnvd |
 | CVE-2023-47268 | 8 May 202600:00 | – | cve |
 | CVE-2023-47268 | 8 May 202600:00 | – | cvelist |
 | CVE-2023-47268 | 8 May 202600:00 | – | debiancve |
 | EUVD-2023-51398 | 8 May 202606:32 | – | euvd |
 | CVE-2023-47268 | 8 May 202606:16 | – | nvd |
 | DEBIAN-CVE-2023-47268 | 8 May 202606:16 | – | osv |
 | PrusaSlicer 2.6.1 Arbitrary Code Execution | 15 Apr 202400:00 | – | packetstorm |
10
# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export
# Date: 16/01/2024
# Exploit Author: Kamil Breński
# Vendor Homepage: https://www.prusa3d.com
# Software Link: https://github.com/prusa3d/PrusaSlicer
# Version: PrusaSlicer up to and including version 2.6.1
# Tested on: Windows and Linux
# CVE: CVE-2023-47268
==========================================================================================
1.) 3mf Metadata extension
==========================================================================================
PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way.
==========================================================================================
2.) PoC
==========================================================================================
For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:
```
; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #"
```
Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code.
For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry:
```
; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) "
```Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2024 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.15.3
EPSS0.00072
SSVC