Hello everyone!

Today, I want to discuss a vulnerability that was recently discovered in Stellarium, a popular open-source planetarium software. The vulnerability affects Stellarium versions up to and including 1.2 and has been assigned the identifier CVE-2023-28371. In this post, I will provide an exclusive overview of this vulnerability, share a code snippet to demonstrate the issue, and provide links to original references.

Vulnerability Overview

Let's start by understanding the vulnerability. CVE-2023-28371 is an instance of a path traversal vulnerability, which allows an attacker to access files and directories that are typically unintended. The issue arises because Stellarium does not correctly validate user input regarding file pathnames. As a result, an attacker can craft malicious input that includes absolute pathnames or '..' directory traversal, ultimately causing Stellarium to write to unintended files.

This can lead to various nefarious outcomes, such as unauthorized access to sensitive information, corruption of system files, and compromise of underlying systems or services.

To understand the vulnerability further, let's take a look at the code snippet below

#include <iostream>
#include <fstream>
#include <string>

bool saveFile(const std::string &path, const std::string &contents)
{
    std::ofstream file(path);
    if (!file)
    {
        std::cerr << "Error opening file: " << path << std::endl;
        return false;
    }

    file << contents;
    file.close();
    return true;
}

int main(int argc, char *argv[])
{
    if (argc != 3)
    {
        std::cerr << "Usage: " << argv[] << " <file_path> <contents>" << std::endl;
        return 1;
    }

    std::string path(argv[1]);
    std::string contents(argv[2]);

    saveFile(path, contents);
    return ;
}

This is a simplified version of the code that demonstrates the issue. As you can see, the saveFile function takes a file pathname and contents as arguments and writes the contents to the specified file. However, it doesn't perform any validation on the pathname, thus allowing the user to supply an arbitrary file path, potentially leading to the exploitation of the path traversal vulnerability.

For example, executing the program with the following arguments would result in writing contents to a system file that an attacker could exploit:

$ ./stellarium_savefile /etc/passwd "This is a test"

Exploit Details

To exploit this vulnerability, an attacker would need to find a way to manipulate the user input, likely through social engineering or another attack vector. Once an attacker achieves this, they can craft the malicious input to manipulate the file path, as demonstrated in the code snippet above.

The risk of this vulnerability depends on the specific environment in which Stellarium is being used. In some scenarios, an attacker might gain unauthorized access to sensitive information or cause a denial of service by corrupting critical system files. However, the impact of this vulnerability can likely be mitigated by ensuring that the software runs with minimal privileges.

1. NVD - CVE-2023-28371
2. GitHub - Stellarium Repository

Closing Thoughts

CVE-2023-28371 represents a significant security risk present in Stellarium versions up to and including 1.2. To protect yourself from this vulnerability, it's essential to keep your software up to date, and follow best practices when configuring and deploying Stellarium. Additionally, if you are using or developing software that handles file paths, please make sure to perform proper input validation to prevent path traversal vulnerabilities.

Timeline

Published on: 03/15/2023 04:15:00 UTC
Last modified on: 03/29/2023 05:15:00 UTC