Replies: 2 comments 2 replies
-
|
@qkaiser I know you've found this in other extractors. Anything to look for in particular? Or stuff you've patched for squashfs-tools? In the meantime, should be able to browse the cves for squashfs-tools |
Beta Was this translation helpful? Give feedback.
-
|
The vulnerability class described by @rbran corresponds to CVE-2021-41072 which affects squashfs-tools up to version 4.5 included. squashfs-tools was also affected by CVE-2021-40153 which is simpler as it only requires to place the traversal payload in the inode name. Some tools that use it as a dependency are also affected. For example, this version of sasquatch installed by binwalk is based on squashfs-tools version 4.3 and is therefore affected by both bugs described above. That's why we forked away to have up-to-date dependencies without known vulnerabilities. If you're interested in this bug class specifically in filesystem parsers: |
Beta Was this translation helpful? Give feedback.
-
|
The path tranversal is fixed by #271, CVE-2021-41072 and CVE-2021-40153. |
Beta Was this translation helpful? Give feedback.
-
|
Besides the path tranversal I was thinking in manipulate the inodes directly to put other inodes inside a symlink. My first idea was to use the Maybe there is a more creative way to manipulate the |
Beta Was this translation helpful? Give feedback.
-
It's possible to put a file inside other file? I think currently there is no verification for something like that.
It could be a vulnerability if possible to craft a squashfs file that contains a symlink and inside of it a file/folder. Once this file is extracted, the file/folder will be created inside whatever the symlink points to, possibly escaping the extraction directory root.
Is this file possible? Is backhand vulnerable? What about the other squashfs libs?
I'll investigate that once I have more time, meanwhile let me know what you think.
Beta Was this translation helpful? Give feedback.
All reactions