CVE-2023-35959

Vulnerability

GTKWave 3.3.115 suffers from an OS command injection vulnerability in its decompression functionality for .ghw files. When a victim opens a specially crafted compressed wave file, the program uses popen to execute external decompression tools (gzip, bzip2, or zip) on the input file name without proper sanitization. This allows an attacker to inject arbitrary OS commands by embedding them in the file name. The affected version is GTKWave 3.3.115 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious .ghw file with a file name containing injected OS commands. The victim must open this file using GTKWave, for example by double-clicking on a wave file received via email. No special privileges or authentication are required, but user interaction is necessary. The command injection occurs during the decompression phase, where the file name is passed to popen [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands with the privileges of the victim user. This can lead to full compromise of confidentiality, integrity, and availability (CIA) of the victim's system, including data exfiltration, installation of malware, or further lateral movement [1].

Mitigation

As of the publication date (2024-01-08), no official patch has been released. Users should avoid opening untrusted .ghw files with GTKWave 3.3.115. A workaround is to disable or restrict execution of external decompression tools within GTKWave, if possible. Monitor vendor updates for a fixed version [1].