Zip Slip disclosed
I had read it on Twitter, by Jake Williams. The vulnerability was disclosed by the Snyk security team on June 5, 2018. Zip Slip allows you to overwrite files arbitrarily. Since this can lead to remote code execution (for example, a compromised archive file is unpacked), this vulnerability is considered critical.
Thousands of projects affected via packer libraries
The CVEs and a complete list of the projects concerned can be found here. This kind of vulnerability has existed before. But recently it has manifested itself in a much larger number of projects and libraries. Background is that many developers do not use hand-coded unpacking routines and rather rely on packer libraries.
Vulnerability exploitable during unpacking
The vulnerability can be exploited with the help of a specially created archive. To do this, the archive to be extracted must contain directory traversal file names (e.g. ../../evil.sh). This results in the unpacker coming out of the step and being able to overwrite other (system) files. This makes remote code execution possible.
A white paper describes the vulnerability in more detail. And there are prepared archives on GitHub that exploit the vulnerability and can be used for testing purposes. The zip-slip vulnerability can affect many archive formats, including tar, jar, war, cpio, apk, rar, and 7z.
What can I do?
Currently, there is no countermeasure except to rely on non-invasive libraries in software projects. Jake Williams gives the following recommendations and hints:
- Anyone using applications that allow users (especially unauthenticated users) to upload archive files (including but not limited to zip) should be particularly concerned about this vulnerability.
- Those who do not run such applications in an IT environment minimize the risk of becoming a Zip Slip victim. Then the following exploit vectors must be taken into account: Email gateways (spam and DLP filters) that can rely on vulnerable libraries.
There are certainly other attack surfaces for Zip Slip. But the two primary targets you see on Rendition Infosec are: Web applications that allow users (especially unauthenticated users) to upload compressed files that are processed by the server. And mail gateways (e.g. spam, DLP, etc.) servers that process compressed files from unknown senders.