In the vast world of UNIX utilities, there’s a compact powerhouse that many embedded systems rely upon: BusyBox. By ingeniously combining miniature versions of countless UNIX utilities into a singular executable, BusyBox offers a versatile environment tailored for compact and embedded systems. However, a recent discovery by cybersecurity researchers has raised concerns about its robustness against certain security threats.
For those unacquainted, BusyBox stands as a compelling substitute for a multitude of utilities typically found in GNU fileutils and shellutils, among others. It prioritizes efficiency, providing a truncated set of options compared to its full-featured GNU siblings.
A vulnerability has been discovered in the BusyBox cpio utility that could be exploited to result in a directory traversal attack. The vulnerability exists in the way that BusyBox handles relative file names in cpio archives.
The root of the matter revolves around a specific utility within BusyBox: cpio. Cpio, both an archive format and tool, exists in various incarnations—GNU cpio, bsdcpio, and, of course, BusyBox cpio.
While its counterparts—bsdcpio and GNU cpio—have mechanisms in place to circumvent certain security risks, BusyBox cpio possesses a latent vulnerability. When it processes archives containing relative file names with the “../” traversal pattern, it unhesitatingly extracts them, lacking any parameter to circumvent such actions with potentially untrusted archives.
This concern, tracked as CVE-2023-39810 and bearing a CVSS score of 6.1, has been observed across multiple versions and platforms of BusyBox cpio. Pentagrid AG notably confirmed the flaw’s presence in:
- BusyBox v1.33.2
- BusyBox v1.30.1
The implications of the CVE-2023-39810 vulnerability are unsettling. If unchecked, extracting untrusted archives could culminate in files veering outside the intended destination directory. Even more alarmingly, configuration files like ~/.bashrc or pivotal files like ~/.ssh/authorized_keys, which enable remote login, are susceptible to being overwritten.
In a vivid illustration of the risk: if an untrusted archive is extracted via the BusyBox cpio tool, and this process enjoys the liberty to pen files outside its designated directory, the security implications are manifold.
Pentagrid‘s recommendation is unequivocal: modify the default behavior. The simple act of dismissing relative file names bearing the “../” pattern within cpio archives could drastically diminish the threat. To further refine the process, taking a leaf from GNU cpio’s book by introducing a command line flag to process files with a directory traversal pattern might be a step in the right direction.
For users, prudence would dictate specifying, on the BusyBox cpio command line, the precise file name they wish to unpack. This approach remains largely safe, barring the inclusion of any directory traversal within that file name argument. Alternatively, pivoting to a different cpio implementation or ensuring the authenticity of archive files before extraction can also serve as viable protective measures.
