OBJ is a file format for describing 3D shapes of things, e. g. for 3D printing. A .obj file contains data lines that define coordinates of points, corners and colors of polygons, curved surfaces, etc.
Today I learned that version 3.0 of the OBJ format may include lines like this:
csh <command>
Executes the requested UNIX <command>.
Sigh. Have we learned nothing since the Morris Internet Worm?
Hold my beer...
from the Wikipedia article on SVG, the most common vector image format on the net:
As a document format, similar to HTML documents, SVG can host script or CSS. This is an issue when an attacker can upload a SVG file to a website, such as a profile picture, and the file is treated as a normal picture but contains malicious content.[79] For instance, if an SVG file is deployed as a CSS background image, or a logo on some website, or in some image gallery, then when the image is loaded in a browser it activates a script or other content. This could lock up the browser (the Billion laughs attack), but could also lead to HTML injection and cross-site scripting attacks. The W3C therefore stipulate certain requirements when SVG is simply used for images: SVG Security.[80]
The W3C says that Inline SVG (an SVG file loaded natively on a website) is considered less of a security risk because the content is part of a greater document, and so scripting and CSS would not be unexpected
Yes, but CSS and javascript are supposed to be "sandboxed" so they should ("should") not have any effect outside the browser window where the page is displayed.
Whereas those "csh" commands are supposed to be able to do anything that the program loading the .obj file could do. Like "cd; rm -rf *"...
"should", indeed.
But if you're lucky, you're opening the malware OBJ file on a machine that doesn't have csh installed.
Jorge Stolfi
-dsr- (not a dog)
Alexandre Oliva (moved to @