| 제목 | NASA cFS 7.0.0 Code Execution |
|---|
| 설명 | Multiple files in the cFS Ground System use Python's pickle.load() to deserialize command and parameter definition files from disk without any integrity verification. Python's pickle module executes arbitrary code during deserialization via the __reduce__ protocol. An attacker who can modify any .pickle file in the CommandFiles/ or ParameterFiles/ directories achieves arbitrary code execution when an operator opens the corresponding command page in the Ground System GUI. A malicious pickle payload as small as 62 bytes is sufficient to execute arbitrary OS commands.
The serialized data (command descriptions, codes, parameter lists) consists entirely of Python lists and strings — there is no technical need for pickle. JSON is a drop-in replacement.
To Reproduce
Craft a malicious pickle file using Python's __reduce__ protocol to call os.system() with an arbitrary command
Place it in the CommandFiles/ directory of the Ground System
Launch the Ground System GUI and navigate to the command page that loads the pickle
The embedded command executes as the operator — confirmed with a harmless marker file creation
Proof-of-concept source and output are available upon request.
Expected behavior
Command definition files should be deserialized using a safe format (JSON) that does not support arbitrary code execution. No .pickle files should be loaded without integrity verification.
Code snips
The vulnerable pattern appears in 4 locations across 3 files:
tools/cFS-GroundSystem/Subsystems/cmdGui/UdpCommands.py (lines 68-69, 177-178):
with open(pickle_file, 'rb') as pickle_obj:
cmd_desc, cmd_codes, param_files = pickle.load(pickle_obj)
tools/cFS-GroundSystem/Subsystems/cmdGui/CommandSystem.py (lines 71-72):
with open(pickle_file, 'rb') as pickle_obj:
cmd_desc, cmd_codes, param_files = pickle.load(pickle_obj)
tools/cFS-GroundSystem/Subsystems/cmdGui/Parameter.py (lines 130-132):
with open(pickle_file, 'rb') as pickle_obj:
param_names = pickle.load(pickle_obj)[1]
System observed on:
Hardware: x86_64
OS: Linux (Ubuntu 22.04, Python 3.10)
Versions: cFS Draco release, commit 83c735e
Additional context
This is a ground station compromise vector. The Ground System operator's workstation typically has network access to mission-critical systems, making this a high-value target for supply chain attacks. Python's own documentation warns: "The pickle module is not secure. Only unpickle data you trust." |
|---|
| 원천 | ⚠️ https://github.com/nasa/cFS/issues/951 |
|---|
| 사용자 | 0rbitingZer0 (UID 96146) |
|---|
| 제출 | 2026. 03. 18. AM 01:29 (18 날 ago) |
|---|
| 모더레이션 | 2026. 04. 03. AM 09:44 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 355077 [NASA cFS 까지 7.0.0 Pickle pickle.load 권한 상승] |
|---|
| 포인트들 | 20 |
|---|