‘Zip Slip’ arbitrary file overwrite vulnerability affects thousands of projects

Security experts from British software firm Snyk have discovered a critical vulnerability, dubbed ‘Zip Slip’ that affects thousands of projects across many industries.

The flaw, that remained hidden for years, could be exploited by attackers to execute arbitrary code on the vulnerable systems.

The Zip Slip is an arbitrary file overwrite vulnerability that could be triggered with a directory traversal attack while extracting files from an archive,

Unfortunately, the flaw affects many archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

“Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution.” states the blog post published by the experts.

“It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more (CVEs and full list here).”

Thousands of projects written in several programming languages (i.e. JavaScript, Ruby, Java, .NET and Go) from tech giants include vulnerable libraries and codes.

Attackers can trigger the Zip Slip flaw using a specially crafted archive file that holds directory traversal filenames (e.g. ../../evil.sh).

Once a vulnerable code o library has extracted the content of the archive, it would allow attackers to unarchive malicious files outside of the folder where it should reside.

“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.” continues the analysis.

“The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”

The researchers published proof-of-concept Zip Slip archives and released a video PoC for the Zip Slip flaw.

Experts shared two sample examples of malicious zip and tar files (for both Unix and windows files systems) with filenames that extract a file to the /tmp/ or \Temp\ folders

Since April, Snyk privately reported the flaw to the maintainers of all vulnerable libraries and projects, it is maintaining a GitHub repository listing all flawed projects. The repository is open to contributions from the wider community to ensure it holds the most up to date status.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Zip Slip, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.