SolidCAM GPPL IDE Path Traversal Vulnerability in Document Link Handling

A path traversal vulnerability has been identified in the SolidCAM GPPL IDE extension for Visual Studio Code, affecting versions 1.0.0 prior to 1.0.2. The issue arises in the 'inc "filename"' directive within GPPL postprocessor files, which is processed by the GpplDocumentLinkHandler'. This handler improperly accepts and resolves arbitrary file paths—absolute, relative with parent-directory segments, UNC paths, and subfolders—into clickable links. This flaw creates two distinct attack vectors: information disclosure through 'File.Exists' probing and an NTLM hash leak via UNC path resolution, both of which can be exploited by crafting a malicious '.gpp' file.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure by enumerating files on the victim's machine or leaking NTLM credentials to an attacker-controlled SMB server, potentially allowing password recovery or credential relaying to access internal services.

Reproduction

The vulnerability can be reproduced by opening a '.gpp' file in an affected version of the SolidCAM GPPL IDE extension that contains 'inc' directives pointing to system files or network paths. The GpplDocumentLinkHandler' will resolve these paths into clickable links, based on the 'File.Exists' checks. If UNC paths are used, this will trigger an SMB authentication exchange that leaks the user's NTLM hash to the attacker.

Remediation

Users should upgrade to SolidCAM GPPL IDE version 1.0.2 or later. After upgrading, the 'GpplDocumentLinkHandler' will reject unsafe include names that could lead to path traversal. As an additional precaution, outbound SMB traffic to the Internet can be blocked at the firewall level.