A serious security flaw in Binwalk, a widely used security analysis tool for Linux, has been patched to address a path traversal vulnerability that could lead to remote code execution (RCE). Binwalk is a command-line tool commonly employed in firmware analysis, reverse engineering, and firmware image extraction.
According to a security advisory published by Quentin Kaiser of ONEKEY Research Lab, the path traversal vulnerability only affects users who open a “malicious file with binwalk using extract mode (-e option).” This requires user interaction. The vulnerability is categorized as CVE-2022-4510 and is considered to have high severity (CVSS 7.8).
The root cause of the vulnerability dates back to 2017 when the Professional File System (PFS) extractor plugin was integrated with binwalk. Although the integration aimed to mitigate the path traversal risk using ‘os.path.join’, the attempt failed. Consequently, Kaiser discovered that six years later, a valid PFS filesystem with filenames containing the “../” traversal sequence could trigger binwalk to write files outside of the extraction directory.
PFS is a less common filesystem format found in some embedded devices. Kaiser deliberately targeted binwalk’s plugin system to achieve “environment agnostic” execution of remote code. By exploiting the path traversal vulnerability and crafting a valid plugin, binwalk can be forced to execute the malicious file while scanning it. Additionally, the PFS extractor automatically creates required directories if they do not exist, minimizing the system requirements.
The vulnerable versions of binwalk range from 2.1.2b to 2.3.3, inclusive. The team at Refirm Labs, owned by Microsoft, addressed the vulnerability by releasing binwalk version 2.3.4 on February 2, 2023. ONEKEY Research Lab had initially contacted the maintainers of binwalk in October 2022 and provided a suggested patch.
Further research by Kaiser revealed similar medium severity vulnerabilities, denoted as CVEs, in other filesystem extractors including ubi_reader, Jefferson, and yaffshiv. Yaffshiv, the extractor used by binwalk by default, can potentially expose fully updated instances of binwalk to the same exploit chain, but with YAFFS as the attack vector instead of PFS.
Kaiser highlighted the need to be cautious and aware of possible vulnerabilities in security tools, particularly in forensic analysis and reverse engineering. It underlines the importance of sandboxing analysis environments to limit the impact of such vulnerabilities, especially considering the increasing use of automated extraction and analysis tools relying on binwalk, such as FACT, ofrak, and EMBA.
Kaiser also hinted at the possibility of a similar vulnerability affecting the ‘D-Link RomFS’ plugin, suggesting potential future research in that area. The Daily Swig has reached out to Refirm Labs for comment, and any response will be communicated in an updated article.