CVE-2023-35964

Vulnerability

GTKWave 3.3.115 contains an OS command injection vulnerability in the decompression functionality of the vcd2lxt utility. When a specially crafted wave file is opened, the file name is passed unsanitized to popen() for decompression, allowing arbitrary command execution. The vulnerability is triggered when a victim opens a malicious .vcd file (or other supported formats) that has been compressed with gzip, bzip2, or zip [1].

Exploitation

An attacker can exploit this vulnerability by crafting a wave file with a malicious file name containing OS command injection payloads. The victim must open the file using GTKWave, which can occur simply by double-clicking the file if GTKWave is associated with the file extension (e.g., via email attachment). No authentication or special privileges are required beyond user interaction [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the victim. This can lead to full compromise of confidentiality, integrity, and availability, including data exfiltration, installation of malware, or further system compromise [1].

Mitigation

As of the publication date (2024-01-08), no official fix has been released by the vendor. Users are advised to avoid opening untrusted wave files and to disable automatic file association for GTKWave-supported extensions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].