OpenPLC Path Injection Vulnerability Allowing Arbitrary File Read

A path injection vulnerability has been identified in OpenPLC version 3, specifically in the binary program compiled from glue_generator.cpp. The vulnerability arises because the program does not validate file path parameters provided via the command line. This lack of validation allows attackers to construct malicious paths that the program will follow to read arbitrary files. The user-controlled input is directly passed to file operation functions for reading and writing, creating a risk of unauthorized information disclosure.

Impact

Exploitation of this vulnerability could lead to the unauthorized reading of sensitive files, such as user account information, password hashes, configuration files, private keys, application secrets, and other confidential data. Such information could be used for further privilege escalation or lateral movement within a system.

Reproduction

To reproduce this vulnerability, execute the vulnerable OpenPLC program 'glue_generator' with a crafted file path argument that includes sensitive data formatted to match the program's parsing expectations. The program will read and output the file content, demonstrating the arbitrary file read capability.

Remediation

Users are advised to validate and sanitize all file path inputs, restrict file access to trusted directories, and implement measures to prevent the reading of sensitive system files.