[KOR] OpenCPN Launcher Plugin - 사용자 정의 명령 실행을 통한 명령어 주입 취약점
Vulnerability Title: OpenCPN Launcher Plugin - Command Injection via User-defined Command Execution
Vulnerability Summary: The Launcher Plugin in OpenCPN executes user-defined commands by directly passing them to the system shell without proper filtering. This allows attackers to inject arbitrary shell metacharacters and execute unintended commands, resulting in a Command Injection vulnerability.
Vendor: GitHub Open Source Project
Software Name: OpenCPN
Version: OpenCPN 5.12.0, Launcher Plugin v1.3.5
Software Type: ECS (Electronic Chart System)
Attack Type: Command Injection
Impact: Arbitrary Code Execution
Vulnerable File Name: launcher_pi.cpp (nohal/launcher_pi.cpp)
Vulnerable Function Name: LauncherUIDialog::OnBtnClick
Vulnerable Parameter: wxExecute(cmd, wxEXEC_ASYNC)
Vulnerable Environment: Windows
Proof of Concept:
The following code in the OpenCPN Launcher Plugin demonstrates the command being executed through the shell without any filtering:
void LauncherUIDialog::OnBtnClick(wxCommandEvent& event){
LauncherButton* button = (LauncherButton*)event.GetEventObject();
if (m_hide_on_btn)
this->Hide();
wxString cmd = button->GetCommand();
if (cmd.StartsWith(_T("KBD:"))) {
SendKbdEvents(cmd);
} else {
cmd.Replace(_T( "%BOAT_LAT%" ), wxString::Format(_T( "%f" ), m_Lat));
cmd.Replace(_T( "%BOAT_LON%" ), wxString::Format(_T( "%f" ), m_Lon));
cmd.Replace(_T( "%BOAT_SOG%" ), wxString::Format(_T( "%f" ), m_Sog));
cmd.Replace(_T( "%BOAT_COG%" ), wxString::Format(_T( "%f" ), m_Cog));
cmd.Replace(_T( "%BOAT_VAR%" ), wxString::Format(_T( "%f" ), m_Var));
cmd.Replace(_T( "%BOAT_FIXTIME%" ), wxString::Format(_T( "%d" ), m_FixTime));
cmd.Replace(_T( "%BOAT_NSATS%" ), wxString::Format(_T( "%d" ), m_nSats));
wxExecute(cmd, wxEXEC_ASYNC);
}
event.Skip();
}
Because the command is passed directly to the shell, it is possible to inject shell metacharacters (e.g., &, |, etc.) to chain and execute multiple arbitrary commands.
Additional Materials (video, report attachments):