Bambu Studio Arbitrary Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in Bambu Studio versions through 2.1.1.52. The issue arises because the application loads a network plugin during startup without validating its digital signature or authenticity. This flaw allows local attackers to place a malicious component in a location they control, such as under %APPDATA%, leading to code execution in the user's context. The main application is digitally signed, which could enable the malicious component to inherit trust and evade detection by security solutions that monitor signed processes.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the context of the user running Bambu Studio. The vulnerability also introduces a persistence mechanism, as the malicious component can be executed automatically each time the application is launched. Additionally, the exploitation can bypass certain security measures that trust or whitelist signed parent processes, allowing further malicious activities to occur with reduced scrutiny.

Reproduction

The vulnerability can be reproduced by placing a malicious component in a location that Bambu Studio loads from, such as the %APPDATA% directory. Once the component is in place, launching Bambu Studio will execute the malicious code, as demonstrated in a proof-of-concept video.

Remediation

Users can update to Bambu Studio version 2.3.0.70, which includes a fix for this vulnerability by adding verification for the digital signatures of network plugins before they are loaded. This update is available through the Bambu Lab official website.