BusyBox CPIO工具中的目录遍历漏洞分析与修复方案

BusyBox CPIO工具中的目录遍历漏洞分析与修复方案
Busybox修复了CPIO和tar工具中的目录遍历漏洞（CVE-2023-39810），指出之前使用的realpath函数存在竞态条件和滥用风险，并提交新补丁通过剥离不安全前缀解决问题。 2025-4-23 16:4:0 Author: seclists.org(查看原文) 阅读量:10 收藏

oss-sec mailing list archives

From: Jakub Wilk <jwilk () jwilk net>
Date: Wed, 23 Apr 2025 18:02:05 +0200

* Ian Norton <Ian.Norton () entrust com>, 2025-04-23 14:11:

https://security-tracker.debian.org/tracker/CVE-2023-39810

This is: "An issue in the CPIO command of Busybox v1.33.2 allowsattackers to execute a directory traversal."

see also https://lists.busybox.net/pipermail/busybox/2024-July/090851.html

This patch appears to be using a realpath(3)-like function, which is nota good tool for this purpose. The function is fundamentally racy, as itcould traverse symlinks that are not under your control.

Even worse, on Linux systems you can abuse magic links in /proc to spoofwhat realpath(3) returns in a race-free manner (although that works onlyagainst yourself or root). See https://codeberg.org/jwilk/surrealpathfor a proof of concept.


But it seems busybox committed a different patch, which looks good:
https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641
("archival: disallow path traversals (CVE-2023-39810)")

The essence of the patch is:

+#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
+       /* Strip leading "/" and up to last "/../" path component */
+       dst_name = (char *)strip_unsafe_prefix(dst_name);
+#endif

--
Jakub Wilk

Current thread:

vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 23)
- Re: vulnerabilities in busybox tar and cpio tools Ricardo Branco (Apr 23)
  - Re: vulnerabilities in busybox tar and cpio tools Salvatore Bonaccorso (Apr 23)
- Re: vulnerabilities in busybox tar and cpio tools Jakub Wilk (Apr 23)
- Re: vulnerabilities in busybox tar and cpio tools Salvatore Bonaccorso (Apr 23)

文章来源: https://seclists.org/oss-sec/2025/q2/79
如有侵权请联系:admin#unsafe.sh