Arbitrary Code Execution and File Write Vulnerability in BusyBox Tab Autocomplete

Arbitrary Code Execution and File Write Vulnerability in BusyBox Tab Autocomplete

CVE-2017-16544 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

Learn more about our Web Application Penetration Testing UK.