REDHAT-BUG-2249901: Path Traversal

First published: Wed Nov 15 2023(Updated: )

Summary: CPIO found to be vulnerable to Path Traversal vulnerability that can be leveraged to achieve full Remote Command Execution on the target. Details: While handling CPIO archives, the CPIO follows symlink, cpio by default will follow stored symlinks while extracting and the Archiver will not check the symlink location, which leads to arbitrary file writes to unintended locations. When the victim extracts the archive, the attacker can craft a malicious cpio archive to achieve RCE on the target system. PoC ( Steps to reproduce ) : Complete instructions to craft a cpio archive to demonstrate the vulnerability. ``` mkdir testcpio ln -sf /tmp/ testcpio/tmp echo "TEST Traversal" > testcpio/tmpYtrav.txt cd testcpio/ ls | cpio -ov > ../trav.cpio cd ../ sed -i s/"tmpY"/"tmp\/"/g trav.cpio ``` Extract the malicious archive: cpio -i < trav.cpio Impact: An attacker can craft malicious cpio archives that exploit the vulnerability to write files on locations such as ~/.ssh, ~/.bashrc, ~/.config/autostart/ etc., to achieve full remote command execution on the target/victim system. Software that uses CPIO as a component might be vulnerable. Credit: Febin Mon Saji

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/description
• agent/type
• agent/first-publish-date
• agent/event
• agent/references
• agent/severity
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2023-7216
• agent/last-modified-date
• agent/source
• agent/softwarecombine
• agent/tags
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/gnu
• canonical/ubuntu cpio