BusyBox Incomplete Path Sanitization Vulnerability in Archive Extraction Utilities Allowing Arbitrary File Overwrite and Potential Code Execution

A vulnerability exists in BusyBox versions 1.36.1 and 1.37.0, likely affecting earlier versions, due to incomplete path sanitization in its archive extraction utilities. This flaw allows an attacker to create malicious archives that, when extracted under specific conditions, can overwrite arbitrary files outside the intended directory. Such file modifications could lead to unauthorized code execution by altering sensitive system files. The vulnerability arises from the 'strip_unsafe_prefix()' function, which fails to properly handle trailing '..' components in filenames, enabling files to be written outside the designated extraction directory.

Impact

Exploitation of this vulnerability can result in arbitrary file overwrites, with the potential for code execution by modifying shell configuration files, cron jobs, or other critical system files.

Reproduction

The vulnerability can be reproduced by crafting a tar file that includes hard links to sensitive files, such as '/etc/hosts', using a Python script. This tar file can then be extracted using the vulnerable BusyBox version, which will overwrite the linked file due to the improper path handling.

Remediation

As a preventive measure, avoid extracting archives from untrusted sources with BusyBox. If extraction is necessary, do it in a controlled environment, like a container with a read-only filesystem and limited privileges.