Closed qkaiser closed 1 year ago
I took the liberty to report this in the open since https://github.com/ReFirmLabs/binwalk/pull/556 was fixed that way and I did not find any security/coordinated disclosure policy or contact info. Hope that works for you.
We have an upcoming publication about similar vulnerabilities affecting different extractors in ubi-reader, jefferson, yaffshiv, and binwalk. We requested CVEs for each of these vulnerability so that users are aware they should upgrade to the latest version (through dependabot for example).
The one that should be fixed by this PR has been assigned CVE-2022-4510.
Hi @devttys0 ! Thanks for taking care of this :)
I would recommend fixing yaffshiv as well (https://github.com/devttys0/yaffshiv/pull/3/) since similar impact can be obtained with a malformed YAFFS file.
os.path.join
does not fully resolve a path so the condition that follows will never be true. Fixed by resolving the path usingos.path.abspath
.An attacker could craft a malicious PFS file that would cause binwalk to write outside the extraction directory. I attached a proof-of-concept (poc.zip) that, when extracted from the user's home directory, would extract a malicious binwalk module in
.config/binwalk/plugins
. This malicious plugin would then be loaded and executed by binwalk, leading to RCE.PoC run:
The malicious plugin is simply this:
It's triggering four times because I did not define the
MODULES
attribute.