Headline
CVE-2022-4510: fix path traversal in PFS extractor script by QKaiser · Pull Request #617 · ReFirmLabs/binwalk
A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk’s PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py. This issue affects binwalk from 2.1.2b through 2.3.3 included.
os.path.join does not fully resolve a path so the condition that follows will never be true. Fixed by resolving the path using os.path.abspath.
An attacker could craft a malicious PFS file that would cause binwalk to write outside the extraction directory. I attached a proof-of-concept (poc.zip) that, when extracted from the user’s home directory, would extract a malicious binwalk module in .config/binwalk/plugins. This malicious plugin would then be loaded and executed by binwalk, leading to RCE.
/usr/local/bin/binwalk -M -e /tmp/poc.zip
Scan Time: 2022-10-26 21:50:26
Target File: /tmp/poc.zip
MD5 Checksum: 4fdad30c7c1b4915938b5ad2786f5bf8
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 170, uncompressed size: 349, name: malicious.pfs
324 0x144 End of Zip archive, footer length: 22
Scan Time: 2022-10-26 21:50:26
Target File: /home/quentin/_poc.zip.extracted/malicious.pfs
MD5 Checksum: 9a12bccad3db3ed8b818a31846d5976f
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PFS filesystem, version 0.9, 1 files
hello from malicious plugin
hello from malicious plugin
hello from malicious plugin
hello from malicious plugin
It’s triggering four times because I did not define the MODULES attribute.
Related news
Gentoo Linux Security Advisory 202309-7 - Multiple vulnerabilities have been discovered in Binwalk, the worst of which could result in remote code execution. Versions greater than or equal to 2.3.4 are affected.
Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’