When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L, 6.1 Medium
cpio is an archive format and also an archive handling tool. Several implementations exist, for example GNU cpio, bsdcpio, and BusyBox cpio. The BusyBox variant of cpio has been found to extract archives that contain relative file names with a
../ traversal pattern and this cannot be prevented.
While bsdcpio ignores archived files that have absolut file names or contain
../ and GNU cpio has a parameter to prevent extracting these file names, BusyBox processes archives with such names and there is no parameter to handle potentially untrusted archives.
If untrusted archives are extracted, this may result in writing files outside the destination directory. This could result in files being overwritten that contain configuration in form of shell scripts such as
~/.bashrc or that enable a login from a remote side such as the
2023-07-24: Vulnerability noticed.
2023-07-26: Initial contact of BusyBox maintainer via e-mail.
2023-08-01: Second try to contact BusyBox maintainer via e-mail. First try to contact developer of the module, but e-mail bounced. First contact to Debian security team, because BusyBox package is available via Debian packages.
2023-08-24: CVE-2023-39810 was assigned.
2023-08-28: Advisory published after not being able to get in contact with maintainer or developer.
The issue affects BusyBox
cpio in multiple versions on different platforms. Pentagrid tested the following versions and could successfully reproduce the issue.
The processing of relative and absolute file names could result in risks. For example the GNU cpio program was affected by the same vulnerability, referenced as "CVE-2005-1229 - Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file." A patch was developed and added to cpio 2.6-6, which requires an additional parameter
--no-absolute-filenames to prevent files being overwritten. This option also works for relative file names with
../ pattern. This is still an insecure default, but an improvement. However, some distributions seems to have reverted the patch.
BusyBox cpio is another implementation and it has no mechanism to avoid the processing of relative files with
../ pattern as shown with the proof of concept below:
#!/bin/sh set -e echo + Clean-up rm -rf /tmp/testcase echo + Create a test archive mkdir -p /tmp/testcase/a/b/ echo test > /tmp/testcase/testfile cd /tmp/testcase/a/b/ (echo ../../testfile; echo /etc/hostname) | cpio -ov -H newc -O /tmp/testcase/a/b/archive.cpio --quiet rm /tmp/testcase/testfile echo + Extract archive mkdir /tmp/testcase/a/b/etc strace -f busybox cpio -iv < archive.cpio 2>&1 | grep 'hostname\|testfile' | grep -v read echo + List files find /tmp/testcase/
find command lists extracted files:
/tmp/testcase/ /tmp/testcase/testfile <-- extracted rel. file /tmp/testcase/a /tmp/testcase/a/b <-- working directory /tmp/testcase/a/b/etc /tmp/testcase/a/b/etc/hostname <-- extracted abs. file /tmp/testcase/a/b/archive.cpio <-- archive to extract
According to the output above, the
testfile is written outside of the working directory.
An untrusted archive is extracted with the BusyBox cpio tool and the running cpio process has permissions to write files outside the destination directory.
Pentagrid recommends changing the default behaviour and to ignore relative file names with
../ pattern within a cpio archive. To process files with a directory traversal pattern, a command line flag could be introduced like it was done for GNU cpio.
Users can specify on the BusyBox cpio command line which file name should be unpacked, which should be safe as long as no directory traversal is included in that file name argument.
User may also consider using another cpio implementation or may ensure that archive files are trusted.
The vulnerability has been found by Tobias Ospelt and Martin Schobert of Pentagrid.