---

Stellarium is a popular open-source planetarium used by amateur astronomers and educators all over the world. But if you’re running any version up to 1.2, you might need to watch out: CVE-2023-28371 exposes a dangerous flaw that could let an attacker write to files they shouldn’t, including sensitive system files or hidden files outside the Stellarium directory.

This post breaks down the bug in plain English, shows you how the exploit works, and includes references if you want to dig deeper.

What Is CVE-2023-28371?

The vulnerability affects how Stellarium saves files. When saving certain configuration files or exported data, Stellarium relies on user-supplied file names without properly sanitizing the input.

So, instead of politely restricting output to safe locations (like user data folders), Stellarium lets an attacker supply absolute file paths (like /etc/passwd in Linux or C:\Windows\System32\drivers\etc\hosts on Windows), or use tricky relative paths such as ../../../malicious_file.txt to write outside the expected folder.

Why does this matter?  
If you can convince someone to open a specially crafted file or interact with Stellarium in a certain way, you could overwrite or create files anywhere the current user has permission—a classic arbitrary file write vulnerability. This can lead to privilege escalation, code execution, or getting persistent access to a victim's computer.

Vulnerable Code Path

This issue was discovered because Stellarium did not validate or clean input file names before using them to write disk files.

Hypothetical vulnerable code (simplified)

QString filename = getUserInput(); // Takes filename directly from user
QFile file(filename);
if (file.open(QIODevice::WriteOnly)) {
    // Write user data...
}

Here, if someone enters a full path (like /etc/passwd), Stellarium will blindly obey.

Let’s illustrate with a simple attack

1. The attacker crafts a configuration/settings file or data export that abuses the file save dialog.
2. The attacker prompts the victim to enter a file name like ../../../../.ssh/authorized_keys during export.
3. Stellarium writes the export data to that file, possibly overwriting an important file or placing a backdoor.

Proof-of-Concept (PoC) Steps

1. Open Stellarium and go to any export or save dialog (for example, when saving a custom configuration or exporting an observation log).

`

Or for Linux/macOS:

`

../../../../tmp/pwned.txt

If the user has permission, a new or overwritten file appears in the specified outside folder.

Note: The worst-case scenario is overwriting sensitive files and causing denial of service or potentially code execution if combined with other vulnerabilities.

Demo Code Snippet

Here’s Python *pseudo-exploit* code for educational purposes. It mimics how an attacker could abuse the vulnerability with a crafted file name.

import requests

payload = "../../../../.ssh/authorized_keys"
data = {
    "filename": payload,
    "content": "attacker's ssh key"
}
# Hypothetical local API endpoint
requests.post("http://localhost:12345/export";, data=data)

> Stellarium doesn’t use an HTTP server by default, but this illustrates exploiting unvalidated file names in any API or input handler.

Whitelisting allowed file extensions and folder

- Stripping out any dangerous directory traversal (like ../)

Blocking absolute file paths

Official patch: Stellarium GitHub commit

Upgrade to the latest Stellarium version (1.3+)

- Use strong file system permissions. Don't run Stellarium as administrator/root.

References

- Official CVE entry (NVD)
- Original GitHub advisory
- Stellarium 1.3 Release Notes
- Detailed community discussion

TL;DR

CVE-2023-28371 is an arbitrary file write bug in Stellarium <=1.2 that lets attackers save files wherever they want, possibly overwriting system files or planting backdoors. Always sanitize inputs, and if you’re running Stellarium, update now.

Timeline

Published on: 03/15/2023 04:15:00 UTC
Last modified on: 03/29/2023 05:15:00 UTC