CVE-2023-35962

Vulnerability

GTKWave 3.3.115 contains multiple OS command injection vulnerabilities in its decompression functionality, specifically in the vcd2vzt utility. The software uses popen to execute external decompression programs (gzip, bzip2, zip) on input files, and the file name is passed unsanitized to the shell. A specially crafted wave file with a malicious file name can inject arbitrary commands. This affects all platforms (Linux, Windows, macOS) and is triggered when GTKWave opens a compressed wave file [1].

Exploitation

An attacker must craft a wave file with a file name containing shell metacharacters and command injection payloads. The victim must open this file using GTKWave, for example by double-clicking on it (GTKWave registers mime types for wave file extensions). When GTKWave attempts to decompress the file, the malicious file name is passed to popen, executing the injected commands with the privileges of the user [1].

Impact

Successful exploitation allows arbitrary command execution on the victim's system. The attacker gains full control over confidentiality, integrity, and availability of the affected system, as the injected commands run with the user's privileges [1].

Mitigation

As of the publication date (2024-01-08), no official patched version of GTKWave has been released. Users should avoid opening wave files from untrusted sources. As a workaround, disable automatic decompression or use a sandboxed environment when handling untrusted wave files [1].