CVE-2026-12565: Arbitrary File Write via Path Traversal in BBOT unarchive Module

The BBOT framework, developed by Black Lantern Security, provides an extensible engine for performing OSINT, domain reconnaissance, and attack surface mapping. During standard execution flow, BBOT crawls remote targets, detects structured web assets, and processes compressed files using its internal unarchive module. This module delegates the extraction tasks to system-level command-line utilities via python subprocess execution pipelines.

This delegation model introduces a significant security exposure. The internal unarchive module fails to inspect or validate the filenames, directory components, and destination paths stored within archive headers prior to invoking extraction utilities. Consequently, the safety of the unarchiving process rests entirely on the extraction behavior of the host operating system's CLI tools.

This lack of local path enforcement allows a directory traversal (Zip-Slip) vulnerability, tracked as CVE-2026-12565 and classified under CWE-22. If a BBOT scan is directed to process a malicious archive hosted on a target server, file paths using directory traversal sequences or nested symbolic links can escape the designated output folder. When executed under legacy extraction utilities, the host operating system writes arbitrary files to locations outside the designated extraction directory.

The root cause of CVE-2026-12565 lies in the complete absence of path sanitization within the unarchive.py module before passing commands to subprocess execution. Because the module directly constructs shell-equivalent execution parameters without analyzing file metadata, it is entirely reliant on the execution host's binary characteristics. Specifically, GNU tar versions earlier than 1.34 exhibit design variances that fail to filter absolute symlinks or relative directory traversal paths.

Under legacy GNU tar configurations, an archive can contain a symbolic link entry pointing to a sensitive system path, followed by a subsequent file entry nested within that symlink's identifier. During extraction, GNU tar first instantiates the symlink on the target filesystem. It then resolves the nested file entry relative to the newly created symlink, writing the payload file into the target directory, such as /etc/cron.d/ or /var/spool/cron/.

In commit 4fb38fd6e77cbf43b198ee8ddbaf380a9eb69d09, developers attempted to secure the unarchive pipeline by enforcing a 1 GB extraction cap. However, this patch is ineffective against the underlying path traversal mechanism. The size check is executed only after the extraction process has finished, introducing a classic Time-of-Check to Time-of-Use (TOCTOU) vulnerability where the malicious payload is written and accessible prior to evaluation.

Furthermore, the validation routine evaluates file sizes by executing output_dir.rglob("*") strictly inside the intended output directory. Because files successfully escaped through directory traversal or absolute symbolic links are placed outside this directory tree, they are not analyzed by the size routine. The check yields an inaccurate byte count, ensuring the bypass of both the size verification logic and the subsequent cleanup functions.

Analyzing the code changes introduced in the flawed patch commit 4fb38fd6e77cbf43b198ee8ddbaf380a9eb69d09 illustrates the architectural oversight. The modification establishes a static limit variable and appends a size validation block immediately following the execution of the subprocess. The vulnerable command generation and post-execution check are structured as follows:

# Vulnerable command generation using external subprocess
command = [s.format(filename=path, extract_dir=output_dir) for s in cmd_list]
try:
    # Extracted process is executed without pre-validating archive headers
    await self.run_process(command, check=True)
    
    # Post-extraction check introduced in commit 4fb38fd6e77cbf43b198ee8ddbaf380a9eb69d09
    extracted_size = sum(f.stat().st_size for f in output_dir.rglob("*") if f.is_file())
    if extracted_size > self._max_extracted_size:
        # Clean-up only targets output_dir, leaving escaped files untouched
        self.helpers.rm_rf(output_dir)
        self.warning(
            f"Extracted size {extracted_size:,} bytes exceeds limit "
            f"({self._max_extracted_size:,} bytes), removing {output_dir}"
        )
        return False

The fundamental defect in this logic is that output_dir.rglob("*") performs a recursive search bounded solely within output_dir. When a path traversal write occurs, files are written to remote locations (e.g., /etc/cron.d/). Because these file paths exist outside the namespace of output_dir, their sizes do not contribute to extracted_size and they remain untouched when self.helpers.rm_rf(output_dir) is executed.

Additionally, this post-extraction design pattern is highly vulnerable to denial of service through storage exhaustion. An attacker can write a file that exceeds the remaining disk space but is less than the 1 GB threshold. If disk space is exhausted mid-extraction, the host system crashes before the sum logic can execute. Thus, the check is bypassed by default.

Exploitation of CVE-2026-12565 requires an attacker to induce a BBOT scan instance to parse an archive containing path-manipulating structures. The attack vector is triggered when BBOT crawls an untrusted endpoint, downloads a compressed file, and triggers the internal unarchive module. The execution succeeds on hosts deploying GNU tar versions less than 1.34.

To construct a functional exploit, the attacker crafts a .tar archive containing two sequentially structured members. The first member is a symbolic link designed to establish a path escape. For instance, the symlink references /etc/cron.d/ or /home/user/.ssh/. The second member defines a nested path resolving through the symlink, containing a functional payload such as a reverse shell or shell configurations.

When GNU tar parses the first entry, it creates the symlink on the filesystem. When it processes the second entry, it resolves the nested filename relative to the symlink and writes the payload file directly to the system directory. The system's standard scheduler (such as cron) subsequently detects and processes the configuration, executing arbitrary commands with the privileges of the active BBOT process.

The impact of CVE-2026-12565 spans from arbitrary local file writes to full remote code execution on the underlying server. Although the CVSS Base Score is calculated at 5.3 (Medium), the practical severity is significantly escalated if BBOT is run under a highly privileged context, such as a root user on a scanner host.

Because the vulnerability allows arbitrary writes to any path accessible by the runner, security controls can be undermined. On default configurations where security tools are run with root privileges, an attacker can modify cron tables, inject keys into SSH directories, or overwrite system libraries. These vectors yield complete administrative compromise of the underlying container or physical machine.

Environmental requirements define the exploit's complexity. If the target system is deployed on modern distributions utilizing GNU tar version 1.34 or higher, the utility inherently restricts file extraction paths from bypassing target directories. However, legacy enterprise setups, container base images (e.g., Ubuntu 20.04 LTS), and specific cloud templates remain vulnerable to remote exploitation.

Remediating CVE-2026-12565 requires mitigating both the system-level behavior and the application-level logic. The most direct system workaround is to upgrade the host's extraction tools. Upgrading GNU tar to version 1.34 or newer enforces default directory barriers, neutralizing the traversal behavior of nested symlinks.

For containerized environments, scanning instances must utilize modern base images (such as Ubuntu 22.04 LTS or Debian Bullseye) and operate under strict privilege boundaries. Restricting write capabilities through a read-only root filesystem (--read-only) prevents writing to arbitrary system paths like /etc/cron.d. In this configuration, only dedicated, non-privileged, transient directories should be writable.

From a development perspective, BBOT must replace external CLI execution commands with robust, path-validated python-native libraries. Developers can safely validate paths before extraction by implementing pre-extraction checks. By resolving every target path to its absolute location and validating that it remains inside the target directory namespace, traversal attempts can be stopped before any disk-writing operations begin.