Improper input validation in busybox (Alpine package)

1) Improper input validation

EUVDB-ID: #VU11326

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-16544

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in the add_match function in libbb/lineedit.c due to the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. A remote attacker can execute arbitrary code with the system privileges and write arbitrary files.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

busybox (Alpine package): 1.24.2-r1

CPE2.3

• cpe:2.3:o:alpine:busybox_alpine_package:1.24.2-r1:*:*:*:*:alpine_linux:*:

External links

http://git.alpinelinux.org/aports/commit/?id=cf43a775225bcace5eda5940576e46caac38d471
http://git.alpinelinux.org/aports/commit/?id=2ee6af5577349f8304cd2e350dce04fef0b5551a
http://git.alpinelinux.org/aports/commit/?id=fae8e63b4df5c1052fc79ed551d442263ddcb523
http://git.alpinelinux.org/aports/commit/?id=2a49aab90f53077e3c5d08bd297cb2071e444255
http://git.alpinelinux.org/aports/commit/?id=78518e05e5f926ac7adc73adde72b54e08d185f7
http://git.alpinelinux.org/aports/commit/?id=94b1464e97c7dd5528f9113c2bc76456076310e4
http://git.alpinelinux.org/aports/commit/?id=9c61af0b67fd73d23389d1016d69758729dfe193
http://git.alpinelinux.org/aports/commit/?id=f36afe370ef2d04d4bc1821d6cdd428aa543dfe4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.