Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix path traversal in PFS extractor script #617

Merged
merged 1 commit into from
Feb 1, 2023
Merged

fix path traversal in PFS extractor script #617

merged 1 commit into from
Feb 1, 2023
+1 −1

Conversation

qkaiser
Copy link

@qkaiser qkaiser commented Oct 26, 2022

os.path.join does not fully resolve a path so the condition that follows will never be true. Fixed by resolving the path using os.path.abspath.

An attacker could craft a malicious PFS file that would cause binwalk to write outside the extraction directory. I attached a proof-of-concept (poc.zip) that, when extracted from the user's home directory, would extract a malicious binwalk module in .config/binwalk/plugins. This malicious plugin would then be loaded and executed by binwalk, leading to RCE.

PoC run:

/usr/local/bin/binwalk -M -e /tmp/poc.zip

Scan Time:     2022-10-26 21:50:26
Target File:   /tmp/poc.zip
MD5 Checksum:  4fdad30c7c1b4915938b5ad2786f5bf8
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 170, uncompressed size: 349, name: malicious.pfs
324           0x144           End of Zip archive, footer length: 22


Scan Time:     2022-10-26 21:50:26
Target File:   /home/quentin/_poc.zip.extracted/malicious.pfs
MD5 Checksum:  9a12bccad3db3ed8b818a31846d5976f
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PFS filesystem, version 0.9, 1 files

hello from malicious plugin
hello from malicious plugin
hello from malicious plugin
hello from malicious plugin

The malicious plugin is simply this:

import binwalk.core.plugin

class MaliciousExtractor(binwalk.core.plugin.Plugin):
    """
    Malicious binwalk plugin
    """

    def init(self):
        print("hello from malicious plugin")

It's triggering four times because I did not define the MODULES attribute.

@qkaiser
fix path traversal in PFS extractor script.
696fe34 
os.path.join does not fully resolve a path so the condition that follows
will never be true. Fixed by resolving the path using os.path.abspath.
@qkaiser
Copy link
Author

qkaiser commented Oct 26, 2022

I took the liberty to report this in the open since #556 was fixed that way and I did not find any security/coordinated disclosure policy or contact info. Hope that works for you.

@m-1-k-3 m-1-k-3 mentioned this pull request Nov 8, 2022
Merged
@qkaiser
Copy link
Author

qkaiser commented Jan 31, 2023

We have an upcoming publication about similar vulnerabilities affecting different extractors in ubi-reader, jefferson, yaffshiv, and binwalk. We requested CVEs for each of these vulnerability so that users are aware they should upgrade to the latest version (through dependabot for example).

The one that should be fixed by this PR has been assigned CVE-2022-4510.

@devttys0 devttys0 merged commit cddfede into ReFirmLabs:master Feb 1, 2023
@qkaiser
Copy link
Author

qkaiser commented Feb 2, 2023

Hi @devttys0 ! Thanks for taking care of this :)

I would recommend fixing yaffshiv as well (devttys0/yaffshiv#3) since similar impact can be obtained with a malformed YAFFS file.

@vt-alt vt-alt mentioned this pull request Feb 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@qkaiser @devttys0