BusyBox Privilege Escalation Vulnerability via Unvalidated Hardlink and Symlink Entries in Tar Archives

A vulnerability in BusyBox versions 1.36.1 and 1.37.0 allows attackers to modify files outside the intended extraction directory by creating malicious tar archives with unvalidated hardlink or symlink entries. When these archives are extracted with elevated privileges, the vulnerability can lead to unauthorized access to critical system files, bypassing existing path traversal protections.

Impact

The vulnerability allows arbitrary file modification outside the extraction directory, with potential privilege escalation if extraction is performed with elevated rights.

Reproduction

The vulnerability can be reproduced by creating a tar archive that includes hardlink or symlink entries pointing to sensitive files, such as '/etc/passwd'. This archive can then be extracted using BusyBox's tar implementation with elevated privileges, leading to unauthorized modifications of the targeted files.

Remediation

Avoid extracting tar archives from untrusted sources with BusyBox, especially under elevated privileges. If extraction of untrusted archives is necessary, do so in a sandboxed environment with limited permissions to mitigate the risk of arbitrary file modifications and privilege escalation.