OSPG binwalk Path Traversal Vulnerability in WinCE Extraction Plugin

A path traversal vulnerability has been identified in OSPG binwalk versions through 2.4.3, specifically within the WinCE Extraction Plugin. The issue arises in the 'read_null_terminated_string' function of 'winceextract.py', where the 'self.file_name' argument is manipulated, leading to unauthorized file writes. This vulnerability can be exploited locally and has been publicly disclosed. Additionally, it can be escalated to remote code execution by injecting a malicious binwalk plugin that executes in subsequent binwalk runs.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, which can be leveraged to execute remote code by injecting a malicious binwalk plugin that runs on the next binwalk invocation.

Reproduction

The vulnerability can be reproduced by crafting a WinCE ROM image that includes directory traversal sequences in the filenames of files to be extracted. When this manipulated ROM is processed by binwalk using the WinCE extraction plugin, the files are extracted to locations outside the intended directory, effectively bypassing normal path restrictions. This can be automated with a provided proof-of-concept script that creates the malicious ROM, extracts it using the vulnerable plugin, and verifies the path traversal.

Remediation

Users are advised to migrate to binwalk v3.x, the Rust-based rewrite, which is not affected by this vulnerability. The archived Python version of binwalk will not receive any updates or patches.