Adam Bannister 03 February 2023 at 16:36 UTC
Updated: 17 February 2023 at 13:20 UTC
Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’
Security analysis tool Binwalk itself poses a security risk to users running out-of-date versions due to a path traversal vulnerability that could lead to remote code execution (RCE).
Binwalk is a popular command-line tool in Linux that is used for analyzing, reverse engineering, and extracting firmware images.
The path traversal issue requires users to open a “malicious file with binwalk using extract mode ( option)” so user interaction is required, according to a security advisory published by Quentin Kaiser of ONEKEY Research Lab.
The flaw is tracked as CVE-2022-4510 and classified as high severity (CVSS 7.8).
Root cause
The vulnerability was introduced by the merging of the Professional File System (PFS) extractor plugin with binwalk in 2017, and arises because an attempt to mitigate path traversal risk with failed.
The upshot is that six years later, Kaiser discovered that “by crafting a valid PFS filesystem with filenames containing the traversal sequence, we can force binwalk to write files outside of the extraction directory”.
PFS is an obscure filesystem format occasionally found in embedded devices.
‘Environment agnostic’
Kaiser targeted binwalk’s plugin system in a bid to achieve an “environment agnostic” path to RCE.
Plugins load on all binwalk scans once they are dropped into the Python tool’s plugin directory.
“So, if we exploit the path traversal to write a valid plugin at that location, binwalk will immediately pick it up and execute it
Read more