BusyBox wget vi Vulnerabilities: CRLF Injection, Credential Forwarding, ANSI Escape

Critical Vulnerability Information 1. Header Injection via Unsanitized URL Components (CRLF Injection) Summary: - directly inserts the URL path and URI into the HTTP request line without sanitizing control characters, enabling header injection. - This can bypass security checks, manipulate routing, or contaminate caches. Examples: - Injecting headers such as , , , or custom headers (e.g., ). PoC: - A Python script demonstrates how an attacker can inject headers into the request by manipulating the URL. 2. vi: ANSI Escape Sequences in Status/Error Lines Summary: - BusyBox displays ANSI escape sequences in status and error lines, which may trigger terminal control sequences. - This could result in terminal spoofing or degraded user experience. 3. wget: Credential Forwarding on Cross-Origin Redirect Summary: - When fetching a URL that returns a 302 redirect, sends credentials in the header to the new origin. - This behavior aligns with issues described in CVE-2021-31879. Observation: - An header is sent during redirects, even when redirecting to a different origin. Suggested Mitigations For header injection: - Reject control characters and whitespace in the host and path components. For ANSI escape sequences: - Strip or escape control characters from all user-controlled strings. For credential forwarding: - Clear headers on redirects to different hosts or schemes unless explicitly permitted.

Goal Reached Thanks to every supporter — we hit 100%!

BusyBox wget vi Vulnerabilities: CRLF Injection, Credential Forwarding, ANSI Escape