CVE CyberSecurity Database News

CVE-2023-41047 - How a GCODE Script in OctoPrint Could Let an Attacker Own Your Server

Poster -

OctoPrint is one of the most popular ways to control and monitor your 3D printer over the network. Its simple web interface has helped countless makers, enthusiasts, and even professional shops to manage print jobs easily. But with great convenience comes some risks, and if you haven’t upgraded past version 1.9.2, you might be in danger. That’s because a serious vulnerability—assigned CVE-2023-41047—has given a way for malicious admins to execute code on your server, just by creating a clever GCODE script.

In this exclusive deep dive, I’ll walk you through what CVE-2023-41047 is, how it works, show some code, and share how you can stay safe.

What is CVE-2023-41047?

CVE-2023-41047 is a critical security flaw in OctoPrint versions up to 1.9.2. It lets any user with admin rights add a “poisoned” GCODE script into the printer configuration. Then, when that script is parsed and rendered, it can execute arbitrary commands on the OctoPrint server—using the privileges under which the OctoPrint process is running.

Who can exploit it?
Anyone with admin rights, or someone who tricks an admin into adding a poisoned script (for example, by sending them a “cool new GCODE macro” found online).

How Does It Work?

OctoPrint allows admins to define custom GCODE scripts—pre and post-print routines, cancelation scripts, error handlers, etc. Unfortunately, until v1.9.3, the parser did not properly sanitize the data fed into GCODE placeholder replacements.

Certain template variables in GCODE scripts could be abused to trigger Python code execution inside the server, if crafted carefully. The issue comes from the unsafe rendering of templates using Python’s eval, allowing actual Python commands to be embedded and run as part of the replacement.

Imagine this (simplified)

# Vulnerable code (example, not real OctoPrint source)
script = user_supplied_gcode
context = {...}  # variables for template replacement
rendered = script.format(**context)

If the input isn’t sanitized, it’s possible to inject something like

; {os.system('whoami')}

When the script is rendered, this could execute the injected function!

Sample Exploit

The vulnerability requires admin rights or a social engineering attack. Here is a stripped-down, conceptual exploit example:

Malicious GCODE script added:

; Start script

; {__import__('os').system('touch /tmp/pwned_by_gcode')}

Attacker (or a tricked admin) adds this to OctoPrint’s start GCODE script.

- When the script runs, ${__import__('os').system('touch /tmp/pwned_by_gcode')} gets evaluated.
- The server creates a file /tmp/pwned_by_gcode.
- Replace system('touch /tmp/pwned_by_gcode') with any command to extract, manipulate, or destroy data.

This isn’t the literal string as it would appear in the real config, but it demonstrates the logic. In practice, a real-world attacker would use the appropriate template syntax, often using double curly brackets and OctoPrint’s template context. The essential trick is escaping into the host language (Python).

References

- OctoPrint Security Advisory (Official)
- CVE Details - CVE-2023-41047
- OctoPrint Release 1.9.3 Notes

Why is this so dangerous?

- Expand privileges. If you believe your OctoPrint server is isolated, remember that it is often installed as a full Linux user, sometimes with access to printers, cameras, and local files.

Upgrade OctoPrint to 1.9.3 or newer. This fully patches the vulnerability.

- Do not trust third-party GCODE scripts. Don’t copy-paste macros from the internet or strangers.
- Restrict who can be admin. Only grant admin rights to users you would trust with your server shell.

Regularly audit GCODE scripts. Check config for odd or unfamiliar placeholders.

- Watch for strange files or behaviors. If compromised, attackers might leave markers or set up persistence.

Summary

CVE-2023-41047 is a sobering reminder that even simple features like script templates can be dangerous if not sandboxed properly. OctoPrint is fixed in 1.9.3, so upgrading ASAP is your best move. Trust your admins—and double-check those GCODE macros.

For more details and updates, see the links above, and stay safe!


*This post is original and exclusive. Do not redistribute without permission.*

Timeline

Published on: 10/09/2023 16:15:10 UTC
Last modified on: 10/13/2023 18:40:38 UTC