Summary
Engrampa Archiver found to be vulnerable to Path Traversal vulnerability that can be leveraged to achieve full Remote Command Execution on the target.
Details
While handling CPIO archives, the Engrampa Archive manager follows symlink, cpio by default will follow stored symlinks while extracting and the Archiver will not check the symlink location, which leads to arbitrary file writes to unintended locations. When the victim extracts the archive, the attacker can craft a malicious cpio or ISO archive to achieve RCE on the target system.
PoC
Complete instructions to craft a cpio archive to demonstrate the vulnerability.
mkdir test_cpio
ln -sf /tmp/ test_cpio/tmp
echo "TEST Traversal" > test_cpio/tmpYtrav.txt
cd test_cpio/
ls | cpio -ov > ../trav.cpio
cd ../
sed -i s/"tmpY"/"tmp\/"/g trav.cpio
Impact
An attacker can craft malicious cpio archives that exploits the vulnerability to write files on locations such as ~/.ssh, ~/.bashrc, ~/.config/autostart/ etc., to achieve full remote command execution on the target/victim system.
febinrev Reporter
Summary
Engrampa Archiver found to be vulnerable to Path Traversal vulnerability that can be leveraged to achieve full Remote Command Execution on the target.
Details
While handling CPIO archives, the Engrampa Archive manager follows symlink, cpio by default will follow stored symlinks while extracting and the Archiver will not check the symlink location, which leads to arbitrary file writes to unintended locations. When the victim extracts the archive, the attacker can craft a malicious cpio or ISO archive to achieve RCE on the target system.
PoC
Complete instructions to craft a cpio archive to demonstrate the vulnerability.
Impact
An attacker can craft malicious cpio archives that exploits the vulnerability to write files on locations such as ~/.ssh, ~/.bashrc, ~/.config/autostart/ etc., to achieve full remote command execution on the target/victim system.