CVE-2023-52138 in engrampainfo

Summary

by MITRE • 02/05/2024

Engrampa is an archive manager for the MATE environment. Engrampa is found to be vulnerable to a Path Traversal vulnerability that can be leveraged to achieve full Remote Command Execution (RCE) on the target. While handling CPIO archives, the Engrampa Archive manager follows symlink, cpio by default will follow stored symlinks while extracting and the Archiver will not check the symlink location, which leads to arbitrary file writes to unintended locations. When the victim extracts the archive, the attacker can craft a malicious cpio or ISO archive to achieve RCE on the target system. This vulnerability was fixed in commit 63d5dfa.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/29/2024

The CVE-2023-52138 vulnerability represents a critical path traversal flaw in Engrampa, a popular archive manager component within the MATE desktop environment. This vulnerability stems from improper handling of symbolic links during CPIO archive extraction processes, creating a significant security risk that can be exploited to achieve full remote command execution on target systems. The flaw specifically manifests when Engrampa processes CPIO archives without adequately validating or sanitizing symbolic link destinations, allowing attackers to manipulate the extraction process and write files to arbitrary locations on the filesystem. The vulnerability is particularly concerning as it leverages the default behavior of cpio tools which follow stored symlinks during extraction, a feature that Engrampa fails to properly account for in its archive processing logic.

The technical exploitation of this vulnerability occurs through careful crafting of malicious CPIO or ISO archives that contain specially constructed symbolic links. When a victim extracts such an archive using Engrampa, the archive manager follows these symlinks without proper validation, resulting in arbitrary file writes to unintended system locations. This path traversal capability enables attackers to place malicious files in critical system directories, potentially leading to privilege escalation and complete system compromise. The vulnerability's severity is amplified by the fact that it operates at the archive extraction level, meaning that any user who extracts a malicious archive could be compromised, regardless of their privilege level. The flaw directly relates to CWE-22, which describes path traversal vulnerabilities, and represents a classic case of insufficient input validation combined with inadequate access control mechanisms. Attackers can leverage this vulnerability through the ATT&CK technique T1059.007, which involves command and scripting interpreter usage, potentially enabling them to execute arbitrary commands on the compromised system.

The operational impact of CVE-2023-52138 extends beyond simple file manipulation to encompass full system compromise capabilities. Since Engrampa is commonly used within MATE desktop environments, this vulnerability affects a substantial user base that may not be actively monitoring for security updates. The vulnerability's exploitation requires only that a victim extract a maliciously crafted archive, making it particularly dangerous as it can be delivered through various attack vectors including email attachments, compromised websites, or social engineering campaigns. The fix implemented in commit 63d5dfa addresses the core issue by modifying Engrampa's archive handling logic to properly validate symbolic link destinations and prevent traversal to unintended file locations. Organizations should prioritize patching this vulnerability as it represents a high-severity risk that can be exploited remotely without user interaction beyond archive extraction. The vulnerability demonstrates the importance of proper input sanitization and access control in archive processing applications, particularly those handling untrusted data from external sources. Security teams should monitor for exploitation attempts and ensure that all systems running Engrampa are updated to versions containing the patched commit to prevent potential compromise through this path traversal vulnerability.

Responsible

GitHub, Inc.

Reservation

12/28/2023

Disclosure

02/05/2024

Moderation

accepted

CPE

ready

EPSS

0.01652

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!