Sleuth Kit Path Traversal Vulnerability in tsk_recover Allowing Arbitrary File Write

A path traversal vulnerability has been identified in The Sleuth Kit, affecting versions through 4.14.0. The issue resides in the tsk_recover tool, where an attacker can manipulate filenames or directory paths within a filesystem image to include path traversal sequences. This manipulation allows files to be written to arbitrary locations outside the designated recovery directory. Exploitation of this vulnerability could lead to unauthorized code execution by overwriting shell configuration files or cron entries.

Impact

Exploitation of this vulnerability could result in arbitrary file writes, with the potential for overwriting critical system files such as shell configuration or cron entries, leading to unauthorized code execution.

Reproduction

To reproduce this vulnerability, create a malicious filesystem image that includes filenames embedded with '/../' sequences. When this image is processed by tsk_recover, the tool will write files to locations outside the intended recovery directory. This can be verified by checking the output locations for the recovered files.

Remediation

Users can update to The Sleuth Kit version 4.14.1 or later, where this vulnerability has been fixed.