Safe Tarfile incorrectly blocks Symlink Traversal Attempt

AndrewFasano commented 5 months ago

(I'm attempting to break #763 and #761 into smaller issues with concrete bugs and examples)

Filesystem: https://files.dlink.com.au/Products/DCS-6517/REV_B/Firmware/Firmware_2.00.03/DCS-6517B1_FW_v2.00.03.zip

Binwalk extraction produces 173 symlinks that unblob drops. For example sbin/init -> ../bin/busybox. Unblob does not produce these due to incorrect symlink handling in _safe_tarfile.py

2024-02-14 18:19.09 [warning  ] Traversal attempt through link path. Skipped. path=sbin/init pid=58

Tested with head of main and #768, both produce the same behavior (since this bug is specific to the logic in safe_tarfile)

e3krisztian commented 5 months ago

I can confirm the problem with the linked firmware.

Number of symlinks in the tar file:

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ tar tvf gzip.uncompressed | fgrep -- '->' | wc -l
348

While the extracted symlinks are:

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ find -type l -ls | wc -l
170

Most of the missed ones are related to busybox, as reported, and are linked from some other directories.

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ tar tvf gzip.uncompressed | fgrep -- '->' | fgrep ../ | wc -l
173

Some of the files missing

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ tar tvf gzip.uncompressed | fgrep -- '->' | fgrep ../ | fgrep sbin
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/lsmod -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/klogd -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/reboot -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkfs.reiser -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/sysctl -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/syslogd -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/logread -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/insmod -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/halt -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/nameif -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/hwclock -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkfs.minix -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/rmmod -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/fdisk -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/fsck -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/tunctl -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/bootchartd -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/zcip -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/losetup -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mke2fs -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mdev -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkfs.vfat -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/init -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/fsck.minix -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/ifconfig -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/getty -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/adjtimex -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/depmod -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/freeramdisk -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/arp -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/devmem -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/acpid -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/findfs -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/start-stop-daemon -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/modinfo -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkdosfs -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkfs.ext2 -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/udhcpc -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/vconfig -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/poweroff -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/modprobe -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/blockdev -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkswap -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/blkid -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/route -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/fbset -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/brctl -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/udhcpd -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/rdate -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/flash_eraseall -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/nandwrite -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/nanddump -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/rdev -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/nbd-client -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/telnetd -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/chroot -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/dhcprelay -> ../../bin/busybox

While the extracted directories have none of the above:

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ ls gzip.uncompressed_extract/sbin/ gzip.uncompressed_extract/usr/sbin/
gzip.uncompressed_extract/sbin/:
iscsid

gzip.uncompressed_extract/usr/sbin/:

e3krisztian commented 5 months ago

With #775 merged, all but one symlinks are extracted:

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract/gzip.uncompressed_extract$ find -type l -ls | wc -l
347

onekey-sec / unblob

Safe Tarfile incorrectly blocks Symlink Traversal Attempt #769