Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-4510: fix path traversal in PFS extractor script by QKaiser · Pull Request #617 · ReFirmLabs/binwalk

A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk’s PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py. This issue affects binwalk from 2.1.2b through 2.3.3 included.

CVE
#vulnerability#rce

os.path.join does not fully resolve a path so the condition that follows will never be true. Fixed by resolving the path using os.path.abspath.

An attacker could craft a malicious PFS file that would cause binwalk to write outside the extraction directory. I attached a proof-of-concept (poc.zip) that, when extracted from the user’s home directory, would extract a malicious binwalk module in .config/binwalk/plugins. This malicious plugin would then be loaded and executed by binwalk, leading to RCE.

/usr/local/bin/binwalk -M -e /tmp/poc.zip

Scan Time:     2022-10-26 21:50:26
Target File:   /tmp/poc.zip
MD5 Checksum:  4fdad30c7c1b4915938b5ad2786f5bf8
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 170, uncompressed size: 349, name: malicious.pfs
324           0x144           End of Zip archive, footer length: 22


Scan Time:     2022-10-26 21:50:26
Target File:   /home/quentin/_poc.zip.extracted/malicious.pfs
MD5 Checksum:  9a12bccad3db3ed8b818a31846d5976f
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PFS filesystem, version 0.9, 1 files

hello from malicious plugin
hello from malicious plugin
hello from malicious plugin
hello from malicious plugin

It’s triggering four times because I did not define the MODULES attribute.

Related news

Gentoo Linux Security Advisory 202309-07

Gentoo Linux Security Advisory 202309-7 - Multiple vulnerabilities have been discovered in Binwalk, the worst of which could result in remote code execution. Versions greater than or equal to 2.3.4 are affected.

Serious security hole plugged in infosec tool binwalk

Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907