CVE-2022-4510 - OpenCVE

Vendors	Products
Microsoft	Binwalk

Link	Providers
https://github.com/ReFirmLabs/binwalk/pull/617
https://security.gentoo.org/glsa/202309-07

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-4510", "assignerOrgId": "2d533b80-6e4a-4e20-93e2-171235122846", "state": "PUBLISHED", "assignerShortName": "ONEKEY", "dateReserved": "2022-12-15T08:12:09.055Z", "datePublished": "2023-01-25T12:25:14.811Z", "dateUpdated": "2024-08-03T01:41:45.526Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["PFS extractor"], "packageName": "binwalk", "platforms": ["Linux", "MacOS"], "product": "binwalk", "programFiles": ["https://github.com/ReFirmLabs/binwalk/blob/11a9bcd4451c4e5ff5db5abbc0df06e7b8838568/src/binwalk/plugins/unpfs.py"], "repo": "https://github.com/ReFirmLabs/binwalk/", "vendor": "Refirm Labs", "versions": [{"lessThanOrEqual": "2.3.3", "status": "affected", "version": "2.1.2b", "versionType": "2.1.2b"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Quentin Kaiser from ONEKEY Research Labs"}], "datePublic": "2023-01-26T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nA path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files <tt>src/binwalk/plugins/unpfs.py</tt>.This issue affects binwalk from 2.1.2b through 2.3.3 included."}], "value": "\nA path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction,\u00a0would extract a malicious binwalk module into the folder .config/binwalk/plugins.\n This vulnerability is associated with program files src/binwalk/plugins/unpfs.py.\n\nThis issue affects binwalk from 2.1.2b through 2.3.3 included.\n\n"}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The finder provided a proof-of-concept publicly so that maintainers could reproduce the vulnerability (see <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/ReFirmLabs/binwalk/pull/617\">https://github.com/ReFirmLabs/binwalk/pull/617</a>)."}], "value": "The finder provided a proof-of-concept publicly so that maintainers could reproduce the vulnerability (see https://github.com/ReFirmLabs/binwalk/pull/617 https://github.com/ReFirmLabs/binwalk/pull/617 )."}], "impacts": [{"capecId": "CAPEC-549", "descriptions": [{"lang": "en", "value": "CAPEC-549 Local Execution of Code"}]}, {"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2d533b80-6e4a-4e20-93e2-171235122846", "shortName": "ONEKEY", "dateUpdated": "2023-02-03T14:42:16.367Z"}, "references": [{"url": "https://github.com/ReFirmLabs/binwalk/pull/617"}, {"url": "https://security.gentoo.org/glsa/202309-07"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2022-10-26T07:51:00.000Z", "value": "Reported to binwalk maintainers with a pull request containing the fix (https://github.com/ReFirmLabs/binwalk/pull/617)"}, {"lang": "en", "time": "2023-01-23T08:00:00.000Z", "value": "Reported to MSRC since they acquired Refirm Labs and we've observed the CPE 'microsoft:binwalk' for CVE-2021-4287"}, {"lang": "en", "time": "2023-01-25T08:00:00.000Z", "value": "MSRC answers they do not consider binwalk a Microsoft product."}], "title": "Path Traversal in binwalk", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The following workaround would fix the vulnerability: <ul><li>removing the unpfs extractor from your local install of binwalk</li><li>disabling the unpfs extractor by editing binwalk's extract.conf configuration file</li><li>apply the fix provided at <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/ReFirmLabs/binwalk/pull/617\">https://github.com/ReFirmLabs/binwalk/pull/617</a></li></ul>"}], "value": "The following workaround would fix the vulnerability:\n * removing the unpfs extractor from your local install of binwalk\n * disabling the unpfs extractor by editing binwalk's extract.conf configuration file\n * apply the fix provided at\u00a0 https://github.com/ReFirmLabs/binwalk/pull/617 https://github.com/ReFirmLabs/binwalk/pull/617 \n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:41:45.526Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/ReFirmLabs/binwalk/pull/617", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202309-07", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:binwalk:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0573243-9C2F-4B14-8188-A01F9457D408", "versionEndExcluding": "2.3.3", "versionStartIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nA path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction,\u00a0would extract a malicious binwalk module into the folder .config/binwalk/plugins.\n This vulnerability is associated with program files src/binwalk/plugins/unpfs.py.\n\nThis issue affects binwalk from 2.1.2b through 2.3.3 included.\n\n"}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de path traversal en binwalk de ReFirm Labs desde la versi\u00f3n 2.1.2b hasta la 2.3.3 incluidas. Mediante la creaci\u00f3n de un archivo de sistema de archivos PFS malicioso, un atacante puede hacer que el extractor PFS de binwalk extraiga archivos en ubicaciones arbitrarias cuando binwalk se ejecuta en modo de extracci\u00f3n (opci\u00f3n -e). Se puede lograr la ejecuci\u00f3n remota de c\u00f3digo creando un sistema de archivos PFS que, al extraerlo, extraiga un m\u00f3dulo malicioso de binwalk en la carpeta .config/binwalk/plugins. Esta vulnerabilidad est\u00e1 asociada a los archivos de programa src/binwalk/plugins/unpfs.py. Este problema afecta a binwalk desde la versi\u00f3n 2.1.2b hasta la 2.3.3 incluidas."}], "id": "CVE-2022-4510", "lastModified": "2023-09-17T09:15:11.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "research@onekey.com", "type": "Secondary"}]}, "published": "2023-01-26T21:18:06.547", "references": [{"source": "research@onekey.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/ReFirmLabs/binwalk/pull/617"}, {"source": "research@onekey.com", "url": "https://security.gentoo.org/glsa/202309-07"}], "sourceIdentifier": "research@onekey.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "research@onekey.com", "type": "Secondary"}]}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object