Path traversal in yaffshiv

Vulnerability

yaffshiv, a YAFFS filesystem extractor, contains a path traversal vulnerability in versions up to and including 0.1. The extractor does not properly sanitize file paths extracted from a YAFFS image, allowing directory traversal sequences (e.g., ../) to escape the intended output directory. This flaw is present in the YAFFSExtractor class when processing directory entries. [1][2]

Exploitation

An attacker must craft a malicious YAFFS filesystem image containing directory entries with path traversal components. No authentication or special privileges are required; the attacker only needs to deliver the image to a user or system that extracts it with yaffshiv. During extraction, the traversal sequences are followed, causing files and directories to be written outside the target extraction directory. [2]

Impact

Successful exploitation enables an attacker to write arbitrary files to arbitrary locations on the filesystem. This can lead to overwriting critical system files, planting malicious executables, or achieving remote code execution depending on the write location and permissions. The attacker controls both the content and destination of the written files. [1][2]

Mitigation

A fix has been proposed in pull request #3 on the yaffshiv repository, which introduces an is_safe_path function using os.path.realpath and os.path.commonpath to validate paths before extraction. As of publication, no official release includes this fix; users should apply the patch manually or switch to an alternative extractor such as unblob. [2]