Headline
CVE-2023-26266: Cmplog should search for unprefixed target in PATH, not PWD by YSaxon · Pull Request #1643 · AFLplusplus/AFLplusplus
In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.
This fixes a bug in cmplog, where, if afl-fuzz is called with an unprefixed-path target (eg – targetapp instead of – /path/to/targetapp), while afl-fuzz itself will correctly look for target in PATH, cmplog instead looks for it in PWD.
If the target does not happen to be in PWD, then it will fail with the confusing error message:
[-] PROGRAM ABORT : Unable to execute target application ('targetapp')
Location : afl_fsrv_start(), src/afl-forkserver.c:1077
This bug is present in standard instrumented mode and Frida mode, but not QEMU mode.
Inasmuch as it violates the general principle and expectation that unprefixed executables should be executed by PATH rather than PWD, this bug being fixed also constitutes a security vulnerability, which could theoretically be exploited by placing a malicious executable of the same name into the user’s working directory.
Related news
Gentoo Linux Security Advisory 202408-27 - A vulnerability has been discovered in AFLplusplus, which can lead to arbitrary code execution via an untrusted CWD. Versions greater than or equal to 4.06c are affected.