Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKamil BrenskiPACKETSTORM:178053
HistoryApr 15, 2024 - 12:00 a.m.

PrusaSlicer 2.6.1 Arbitrary Code Execution

2024-04-1500:00:00
Kamil Brenski
packetstormsecurity.com
67
prusaslicer
arbitrary code execution
3mf metadata
project settings
post-processing script
windows
linux
cve-2023-47268

7.4 High

AI Score

Confidence

Low

JSON
`# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export  
# Date: 16/01/2024  
# Exploit Author: Kamil BreΕ„ski  
# Vendor Homepage: https://www.prusa3d.com  
# Software Link: https://github.com/prusa3d/PrusaSlicer  
# Version: PrusaSlicer up to and including version 2.6.1  
# Tested on: Windows and Linux  
# CVE: CVE-2023-47268  
  
==========================================================================================  
1.) 3mf Metadata extension  
==========================================================================================  
  
PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way.  
  
==========================================================================================  
2.) PoC  
==========================================================================================  
  
For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:  
  
```  
; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #"  
```  
  
Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code.  
  
For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry:  
  
```  
; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) "  
```  
  
`

Related

exploitdb 1
zdt 1
exploitdb
exploitdb
PrusaSlicer 2.6.1 - Arbitrary code execution
2024-04-12 00:00:00
zdt
zdt
PrusaSlicer 2.6.1 - Arbitrary code execution Vulnerability
2024-04-12 00:00:00

7.4 High

AI Score

Confidence

Low

JSON
Related for PACKETSTORM:178053
exploitdb1zdt1