symlink to root in firwmare cause analysis to never complete #868
Labels
bug
Something isn't working
Core modules (Sxx)
The core scanning modules (Sxx modules)
EMBA
security
security topics
Describe the bug
When analyzing a firmware image that contains links to absolute paths such as
/
or/dev/...
, one or more EMBA analysis steps follow those links and end up analyzing files in EMBA Docker container instead of the firmware image.This is problematic on a few levels. Among them, one consequence is that at least one analysis step runs forever and the whole analysis never completes: in
s106_deep_key_search.sh
, there isThis spawns:
This
grep
was left running for days and never completed. Running it manually within the Docker container seems to hang after a minute or so, around/dev/fd
in the Docker container, not the firmware image. It is actually reading/logs/firmware/some/path/dev/fd
but somewhere along that path is a link to/
, which is interpreted as the root of the Docker container. Maybe grep is trying here to read from the Docker containerstdout
, or some similar device and that never ends, I can't tell for sure.But whatever "file" causes grep to hang is irrelevant. The issue is that it should not read files outside the firmware image.
To Reproduce
Steps to reproduce the behavior:
sudo ./emba -l ~/log -f /path/to/above/image.tar.gz -p ./scan-profiles/default-scan.emba
Expected behavior
EMBA analysis steps do not analyze files outside the firmware image.
Removing the links from the firmware image makes the analysis complete normally. So an expected fix would be an early step in the analysis that would sanitize symbolic links in a way that would either make them:
Alternately, all occurrences of recursive scanning (find, grep, etc.) must be aware of not following symlinks starting with a
/
. This would however create several potential points of failure in the code, including new code that would have to be "aware" of that issue.Desktop
Priority issue
Are you already a [Sponsor]? No
Additional context
The text was updated successfully, but these errors were encountered: