New vulnerability Zip Slip revealed

[German]The next security vulnerability called 'Zip Slip' has just been discovered by security researchers. The vulnerability can be found in many open source projects, from JAVA to packing programs. Even.NET or JavaScript are affected and as a user you can't get around it. Here is some information, including assessments by an Infosec security researcher.


Zip Slip disclosed

I had read it on Twitter, by Jake Williams. The vulnerability was disclosed by the Snyk security team on June 5, 2018. Zip Slip allows you to overwrite files arbitrarily. Since this can lead to remote code execution (for example, a compromised archive file is unpacked), this vulnerability is considered critical.

Thousands of projects affected via packer libraries

The vulnerability affects thousands of projects, including HP, Amazon, Apache, Pivotal and many others that use vulnerable libraries to pack. Also affected are eco-systems like JavaScript, Ruby, .NET and Go, as well as the already mentioned Java.

The CVEs and a complete list of the projects concerned can be found here. This kind of vulnerability has existed before. But recently it has manifested itself in a much larger number of projects and libraries. Background is that many developers do not use hand-coded unpacking routines and rather rely on packer libraries.

Vulnerability exploitable during unpacking

The vulnerability can be exploited with the help of a specially created archive. To do this, the archive to be extracted must contain directory traversal file names (e.g. ../../ This results in the unpacker coming out of the step and being able to overwrite other (system) files. This makes remote code execution possible.

A white paper describes the vulnerability in more detail. And there are prepared archives on GitHub that exploit the vulnerability and can be used for testing purposes. The zip-slip vulnerability can affect many archive formats, including tar, jar, war, cpio, apk, rar, and 7z.


What can I do?

Currently, there is no countermeasure except to rely on non-invasive libraries in software projects. Jake Williams gives the following recommendations and hints:

  • Anyone using applications that allow users (especially unauthenticated users) to upload archive files (including but not limited to zip) should be particularly concerned about this vulnerability.
  • Those who do not run such applications in an IT environment minimize the risk of becoming a Zip Slip victim. Then the following exploit vectors must be taken into account: Email gateways (spam and DLP filters) that can rely on vulnerable libraries.

There are certainly other attack surfaces for Zip Slip. But the two primary targets you see on Rendition Infosec are: Web applications that allow users (especially unauthenticated users) to upload compressed files that are processed by the server. And mail gateways (e.g. spam, DLP, etc.) servers that process compressed files from unknown senders.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *