Binwalk, a popular Linux-based security analysis tool, is facing a security threat due to a path traversal vulnerability that could lead to remote code execution (RCE). The vulnerability affects all versions of Binwalk from 2.1.2b through 2.3.3.
Cause of Vulnerability
The path traversal vulnerability was introduced by merging the Professional File System (PFS) extractor plugin with Binwalk in 2017. The vulnerability arose because of an attempt to mitigate path traversal risk with os.path.join failed. This allows attackers to write files outside of the extraction directory by crafting a valid PFS file system with filenames containing the ../ traversal sequence.
Plugins Load on All Binwalk Scans
Binwalk’s plugin system was targeted by the attackers in a bid to achieve an “environment agnostic” path to RCE. The plugins load on all Binwalk scans once they are dropped into the Python tool’s plugin directory. This means that if the attackers exploit the path traversal to write a valid plugin at the location, Binwalk will immediately pick it up and execute it while it is still scanning the malicious file.
Malicious Plugin Execution The researcher who discovered the vulnerability, Quentin Kaiser of ONEKEY Research Lab, crafted a malicious plugin that executes twice and does not clean up after itself. The plugin takes advantage of the fact that it does not define an explicit MODULE attribute that defines its purpose.
Vulnerability Addressed in Binwalk 2.3.4
The vulnerability was addressed on February 2, 2023, with the release of Binwalk version 2.3.4. This was more than three months after ONEKEY first contacted the tool’s maintainer, Refirm Labs, and provided a suggested patch.
Similar Vulnerabilities Found in Other File System Extractors Kaiser’s research also uncovered similar, medium-severity vulnerabilities affecting other file system extractors, such as the ubi_reader, Jefferson, and yaffshiv projects. He warned that even fully up-to-date Binwalk instances could be vulnerable to the same exploit chain because yaffshiv is installed and enabled by default on Binwalk, except the attack vector would be YAFFS instead of PFS.
Importance of Sandboxing Analysis Environments
The research serves as a reminder that security tools can contain security holes, especially in forensic analysis and reverse engineering where analysts are commonly faced with untrusted and potentially malicious files. It is important for developers and users of automated extraction and analysis tools to be aware of the risks and to limit the impact of such vulnerabilities by sandboxing analysis environments.
The path traversal vulnerability in Binwalk highlights the importance of keeping security tools up to date and the need for caution when dealing with untrusted files. Kaiser hinted that the ‘D-Link RomFS’ plugin could be his next focus for research as it “is probably affected by a similar vulnerability.”