Merge pull request #556 from ReFirmLabs/unpriv_user_exec

Symlink directory traversal security fix

README.md

@@ -7,10 +7,17 @@
 
 Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
 
+
+### *** Extraction Security Notice ***
+
+Prior to Binwalk v2.3.3, extracted archives could create symlinks which point anywhere on the file system, potentially resulting in a directory traversal attack if subsequent extraction utilties blindly follow these symlinks. More generically, Binwalk makes use of many third-party extraction utilties which may have unpatched security issues; Binwalk v2.3.3 and later allows external extraction tools to be run as an unprivileged user using the `run-as` command line option (this requires Binwalk itself to be run with root privileges). Additionally, Binwalk v2.3.3 and later will refuse to perform extraction as root unless `--run-as=root` is specified.
+
+
 ### *** Python 2.7 Deprecation Notice ***
 
 Even though many major Linux distros are still shipping Python 2.7 as the default interpreter in their currently stable release, we are making the difficult decision to move binwalk support exclusively to Python 3. This is likely to make many upset and others rejoice. If you need to install binwalk into a Python 2.7 environment we will be creating a tag `python27` that will be a snapshot of `master` before all of these major changes are made. Thank you for being patient with us through this transition process.
 
+
 ### Installation and Usage
 
 * [Installation](./INSTALL.md)

setup.py

@@ -12,7 +12,7 @@ except ImportError:
 from distutils.dir_util import remove_tree
 
 MODULE_NAME = "binwalk"
-MODULE_VERSION = "2.3.2"
+MODULE_VERSION = "2.3.3"
 SCRIPT_NAME = MODULE_NAME
 MODULE_DIRECTORY = os.path.dirname(os.path.realpath(__file__))
 

testing/tests/test_dirtraversal.py

+import os
+import binwalk
+from nose.tools import eq_, ok_, assert_equal, assert_not_equal
+
+def test_dirtraversal():
+    '''
+    Test: Open dirtraversal.tar, scan for signatures.
+    Verify that dangerous symlinks have been sanitized.
+    '''
+    bad_symlink_file_list = ['foo', 'bar', 'subdir/foo2', 'subdir/bar2']
+    good_symlink_file_list = ['subdir/README_link', 'README2_link']
+
+    input_vector_file = os.path.join(os.path.dirname(__file__),
+                                     "input-vectors",
+                                     "dirtraversal.tar")
+
+    output_directory = os.path.join(os.path.dirname(__file__),
+                                    "input-vectors",
+                                    "_dirtraversal.tar.extracted")
+
+    scan_result = binwalk.scan(input_vector_file,
+                               signature=True,
+                               extract=True,
+                               quiet=True)[0]
+
+    # Make sure the bad symlinks have been sanitized and the
+    # good symlinks have not been sanitized.
+    for symlink in bad_symlink_file_list:
+        linktarget = os.path.realpath(os.path.join(output_directory, symlink))
+        assert_equal(linktarget, os.devnull)
+    for symlink in good_symlink_file_list:
+        linktarget = os.path.realpath(os.path.join(output_directory, symlink))
+        assert_not_equal(linktarget, os.devnull)

testing/tests/test_firmware_zip.py

@@ -10,8 +10,6 @@ def test_firmware_zip():
     '''
     expected_results = [
 	[0, 'Zip archive data, at least v1.0 to extract, name: dir655_revB_FW_203NA/'],
-	[51, 'Zip archive data, at least v2.0 to extract, compressed size: 6395868, uncompressed size: 6422554, name: dir655_revB_FW_203NA/DIR655B1_FW203NAB02.bin'],
-	[6395993, 'Zip archive data, at least v2.0 to extract, compressed size: 14243, uncompressed size: 61440, name: dir655_revB_FW_203NA/dir655_revB_release_notes_203NA.doc'],
 	[6410581, 'End of Zip archive, footer length: 22'],
 
     ]