Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safe Tarfile incorrectly blocks Symlink Traversal Attempt #769

Closed
AndrewFasano opened this issue Feb 14, 2024 · 2 comments
Closed

Safe Tarfile incorrectly blocks Symlink Traversal Attempt #769

AndrewFasano opened this issue Feb 14, 2024 · 2 comments

Comments

@AndrewFasano
Copy link

(I'm attempting to break #763 and #761 into smaller issues with concrete bugs and examples)

Filesystem: https://files.dlink.com.au/Products/DCS-6517/REV_B/Firmware/Firmware_2.00.03/DCS-6517B1_FW_v2.00.03.zip

Binwalk extraction produces 173 symlinks that unblob drops. For example sbin/init -> ../bin/busybox. Unblob does not produce these due to incorrect symlink handling in _safe_tarfile.py

2024-02-14 18:19.09 [warning  ] Traversal attempt through link path. Skipped. path=sbin/init pid=58

Tested with head of main and #768, both produce the same behavior (since this bug is specific to the logic in safe_tarfile)
@AndrewFasano AndrewFasano mentioned this issue Feb 14, 2024
Closed
@e3krisztian
Copy link
Contributor

I can confirm the problem with the linked firmware.

Number of symlinks in the tar file:

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ tar tvf gzip.uncompressed | fgrep -- '->' | wc -l
348

While the extracted symlinks are:

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ find -type l -ls | wc -l
170

Most of the missed ones are related to busybox, as reported, and are linked from some other directories.

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ tar tvf gzip.uncompressed | fgrep -- '->' | fgrep ../ | wc -l
173
Some of the files missing 
DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ tar tvf gzip.uncompressed | fgrep -- '->' | fgrep ../ | fgrep sbin
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/lsmod -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/klogd -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/reboot -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkfs.reiser -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/sysctl -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/syslogd -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/logread -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/insmod -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/halt -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/nameif -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/hwclock -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkfs.minix -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/rmmod -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/fdisk -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/fsck -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/tunctl -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/bootchartd -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/zcip -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/losetup -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mke2fs -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mdev -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkfs.vfat -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/init -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/fsck.minix -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/ifconfig -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/getty -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/adjtimex -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/depmod -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/freeramdisk -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/arp -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/devmem -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/acpid -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/findfs -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/start-stop-daemon -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/modinfo -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkdosfs -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkfs.ext2 -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/udhcpc -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/vconfig -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/poweroff -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/modprobe -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/blockdev -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/mkswap -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/blkid -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 sbin/route -> ../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/fbset -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/brctl -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/udhcpd -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/rdate -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/flash_eraseall -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/nandwrite -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/nanddump -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/rdev -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/nbd-client -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/telnetd -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/chroot -> ../../bin/busybox
lrwxrwxrwx richard/richard       0 2017-07-11 09:58 usr/sbin/dhcprelay -> ../../bin/busybox
While the extracted directories have none of the above: 
DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract$ ls gzip.uncompressed_extract/sbin/ gzip.uncompressed_extract/usr/sbin/
gzip.uncompressed_extract/sbin/:
iscsid

gzip.uncompressed_extract/usr/sbin/:

@e3krisztian e3krisztian mentioned this issue Feb 15, 2024
Merged
@e3krisztian
Copy link
Contributor

With #775 merged, all but one symlinks are extracted:

DCS-6517B1_FW_v2.00.03.zip_extract/DCS-6517B1_FW_v2.00.03.pkg_extract/44-17853067.gzip_extract/gzip.uncompressed_extract$ find -type l -ls | wc -l
347

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AndrewFasano @e3krisztian