CVE-2023-35963

Vulnerability

GTKWave 3.3.115 contains multiple OS command injection vulnerabilities in its decompression functionality, specifically in the vcd2lxt2 utility and other components [1]. The bugs reside in how external decompression programs (gzip, bzip2, zip) are invoked via popen using unsanitized input file names [1]. A specially crafted compressed wave file (e.g., with malicious content in its filename) can inject arbitrary commands. The vulnerable version is 3.3.115; the file formats affected include .ghw, .lxt, .lxt2, .vzt, .fst, .ghw, .vcd, and .evcd [1].

Exploitation

An attacker must convince a victim to open a malicious wave file, for example by sending it via email where GTKWave’s registered mime types may cause automatic opening on double-click [1]. No authentication or special privileges are required. The attacker crafts a compressed file (gzip, bzip2, or zip) with a filename containing shell metacharacters (e.g., backticks, semicolons). When GTKWave decompresses the file via popen, the injected commands are executed in the context of the user running GTKWave [1].

Impact

Successful exploitation leads to arbitrary command execution under the victim’s privileges. This can result in full compromise of confidentiality, integrity, and availability (CIA) – the attacker could read, modify, or delete files, install malware, or pivot to other systems [1]. The CVSSv3 score is 7.8 (High), indicating significant impact with relatively low attack complexity [1].

Mitigation

As of the publication date (2024-01-08), no official patch has been released for GTKWave 3.3.115 [1]. Users should avoid opening untrusted wave files until a fix is provided. There is no known workaround within the application. The vendor has not communicated an end-of-life status or a fixed version release date [1].