Vulnerability identifier: #VU11326

Vulnerability risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-16544

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
BusyBox
Universal components / Libraries / Software for developers

Vendor: busybox.net

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in the add_match function in libbb/lineedit.c due to the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. A remote attacker can execute arbitrary code with the system privileges and write arbitrary files.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 1.28.0.

Vulnerable software versions

BusyBox: 1.27.2

---

External links
http://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.