CVE-2022-4510 in binwalk
Summary
by MITRE • 01/26/2023
A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py.
This issue affects binwalk from 2.1.2b through 2.3.3 included.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/17/2025
The vulnerability described in CVE-2022-4510 represents a critical path traversal flaw within ReFirm Labs binwalk utility, specifically impacting versions ranging from 2.1.2b through 2.3.3. This security weakness resides in the PFS filesystem extraction functionality and manifests when binwalk processes maliciously crafted PFS files in extraction mode. The vulnerability operates through the manipulation of file paths during the extraction process, allowing attackers to bypass normal directory boundaries and write files to arbitrary locations on the target system. The affected component is located within the program files at src/binwalk/plugins/unpfs.py, which handles the extraction logic for PFS filesystems. The flaw enables attackers to construct malicious PFS filesystems that can exploit the path traversal vulnerability during normal binwalk operation.
The technical implementation of this vulnerability stems from insufficient input validation and path sanitization within the PFS extraction module. When binwalk processes a PFS file with the extraction flag (-e), the unpfs.py plugin fails to properly validate or sanitize the file paths contained within the PFS structure. This allows attackers to embed malicious file paths that contain directory traversal sequences such as "../" or similar constructs that can navigate outside the intended extraction directory. The vulnerability specifically targets the extraction mechanism that handles PFS filesystems, where the attacker can craft a PFS file that, upon extraction, places malicious content in strategic locations. The attack vector becomes particularly dangerous when the attacker constructs a PFS file designed to extract a malicious binwalk module into the .config/binwalk/plugins directory, which represents a privileged location within the binwalk configuration hierarchy.
The operational impact of this vulnerability extends beyond simple file system manipulation to encompass full remote code execution capabilities. The ability to place malicious modules in the .config/binwalk/plugins directory means that subsequent executions of binwalk will load and execute these malicious components, effectively providing attackers with persistent code execution on the target system. This represents a sophisticated attack chain that leverages the legitimate functionality of binwalk to establish a foothold for further compromise. The vulnerability is particularly concerning in environments where binwalk is frequently used for firmware analysis or security auditing, as it provides attackers with a means to escalate privileges and maintain persistence. The attack requires minimal user interaction beyond running binwalk on a maliciously crafted PFS file, making it a highly effective vector for automated exploitation.
Organizations and security professionals should implement immediate mitigations to address this vulnerability by upgrading to binwalk versions beyond 2.3.3, where the path traversal issue has been resolved. The fix typically involves implementing proper input validation and path sanitization within the PFS extraction module to prevent directory traversal sequences from being processed. Additionally, system administrators should consider implementing network segmentation and access controls to limit the exposure of systems running binwalk to untrusted file inputs. The vulnerability aligns with CWE-22 Path Traversal and follows attack patterns consistent with the MITRE ATT&CK framework under techniques such as T1059 Command and Scripting Interpreter and T1068 Exploitation for Privilege Escalation. Security monitoring should focus on detecting unusual file creation patterns in binwalk plugin directories and unexpected execution of binary files in system directories, particularly those related to security analysis tools.