Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’
Security analysis tool Binwalk itself poses a security risk to users running out-of-date versions due to a path traversal vulnerability that could lead to remote code execution (RCE).
Binwalk is a popular command-line tool in Linux that is used for analyzing, reverse engineering, and extracting firmware images.
The path traversal issue requires users to open a “malicious file with binwalk using extract mode (-e option)” so user interaction is required, according to a security advisory published by Quentin Kaiser of ONEKEY Research Lab.
The flaw is tracked as CVE-2022-4510 and classified as high severity (CVSS 7.8).
Root cause
The vulnerability was introduced by the merging of the Professional File System (PFS) extractor plugin with binwalk in 2017, and arises because an attempt to mitigate path traversal risk with os.path.join failed.
The upshot is that six years later, Kaiser discovered that “by crafting a valid PFS filesystem with filenames containing the ../ traversal sequence, we can force binwalk to write files outside of the extraction directory”.
PFS is an obscure filesystem format occasionally found in embedded devices.
‘Environment agnostic’
Kaiser targeted binwalk’s plugin system in a bid to achieve an “environment agnostic” path to RCE.
Plugins load on all binwalk scans once they are dropped into the Python tool’s plugin directory.
“So, if we exploit the path traversal to write a valid plugin at that location, binwalk will immediately pick it up and execute it while it’s still scanning the malicious file,” Kaiser explained. “On top of that, the PFS extractor will take care of creating all required directories if they do not exist, so we don’t need to expect anything from the system we’re running on.”
Sign up to the Daily Swig Deserialized newsletter, your essential digest of web security news
Kaiser crafted a malicious plugin that “executes two times since it does not define an explicit MODULE attribute that defines its purpose (e.g., signature scan, entropy calculation, compression stream identification). I take advantage of that behavior to make it clean up after itself.”
Vulnerable versions span 2.1.2b through 2.3.3 inclusive. The vulnerability was addressed yesterday (February 2) with the release of binwalk version 2.3.4 – more than three months after ONEKEY said it first contacted the tool’s maintainer, Microsoft-owned Refirm Labs, and provided a suggested patch, in October 2022.
Yaffshiv
Kaiser’s research also uncovered similar, medium severity CVEs affecting other filesystem extractors, namely the ubi_reader, Jefferson, yaffshiv projects.
Kaiser warned that even fully up-to-date binwalk instances were potentially vulnerable to the same exploit chain because yaffshiv is installed and enabled by default on binwalk, except the attack vector would be YAFFS instead of PFS.
“Yaffshiv is maintained by the team behind binwalk so we hope a fix will be available soon,” Kaiser told The Daily Swig.
“Writing secure format parsers and extractors is a complex task (believe us, we've been working on exactly those issues with [our own extraction suite] Unblob) so it's not a surprise that we found these kinds of vulnerabilities in binwalk given the amount of format it supports.”
Salutary reminder
The research serves as a salutary reminder that security tools can themselves contain security holes. “This especially becomes critical in forensic analysis and reverse engineering where we are commonly faced with untrusted, potentially malicious files,” said Kaiser.
“While the path traversals described in this article have the potential to void any reverse engineering efforts and to tamper with evidence collected, they also demonstrate the importance of sandboxing analysis environments to limit the impact of such vulnerabilities. Especially with the rise of automated extraction and analysis tools relying on tools like binwalk (e.g., FACT, ofrak, EMBA), it’s important for developers and users of those solution to be aware of the risks.”
Kaiser hinted that ‘D-Link RomFS’ plugin could be his next focus for research as it “is probably affected by a similar vulnerability”.
The Daily Swig has approached Refirm Labs for comment. We will update this article if and when they respond.
MORE RELATED RESEARCH WAGO fixes config export flaw threatening data leak from industrial devices
