search

ReFirmLabs / binwalk

Firmware Analysis Tool
MIT License
10.38k stars 1.49k forks source link

fix path traversal in PFS extractor script #617

Closed qkaiser closed 1 year ago

qkaiser commented 1 year ago

os.path.join does not fully resolve a path so the condition that follows will never be true. Fixed by resolving the path using os.path.abspath.

An attacker could craft a malicious PFS file that would cause binwalk to write outside the extraction directory. I attached a proof-of-concept (poc.zip) that, when extracted from the user's home directory, would extract a malicious binwalk module in .config/binwalk/plugins. This malicious plugin would then be loaded and executed by binwalk, leading to RCE.

PoC run:

/usr/local/bin/binwalk -M -e /tmp/poc.zip

Scan Time:     2022-10-26 21:50:26
Target File:   /tmp/poc.zip
MD5 Checksum:  4fdad30c7c1b4915938b5ad2786f5bf8
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 170, uncompressed size: 349, name: malicious.pfs
324           0x144           End of Zip archive, footer length: 22

Scan Time:     2022-10-26 21:50:26
Target File:   /home/quentin/_poc.zip.extracted/malicious.pfs
MD5 Checksum:  9a12bccad3db3ed8b818a31846d5976f
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PFS filesystem, version 0.9, 1 files

hello from malicious plugin
hello from malicious plugin
hello from malicious plugin
hello from malicious plugin

The malicious plugin is simply this:

import binwalk.core.plugin

class MaliciousExtractor(binwalk.core.plugin.Plugin):
    """
    Malicious binwalk plugin
    """

    def init(self):
        print("hello from malicious plugin")

It's triggering four times because I did not define the MODULES attribute.

qkaiser commented 1 year ago

I took the liberty to report this in the open since https://github.com/ReFirmLabs/binwalk/pull/556 was fixed that way and I did not find any security/coordinated disclosure policy or contact info. Hope that works for you.

qkaiser commented 1 year ago

We have an upcoming publication about similar vulnerabilities affecting different extractors in ubi-reader, jefferson, yaffshiv, and binwalk. We requested CVEs for each of these vulnerability so that users are aware they should upgrade to the latest version (through dependabot for example).

The one that should be fixed by this PR has been assigned CVE-2022-4510.

qkaiser commented 1 year ago

Hi @devttys0 ! Thanks for taking care of this :)

I would recommend fixing yaffshiv as well (https://github.com/devttys0/yaffshiv/pull/3/) since similar impact can be obtained with a malformed YAFFS file.