Hacking

‘Zip Slip’ arbitrary file overwrite vulnerability affects thousands of projects

Security experts from British software firm Snyk have discovered a critical vulnerability, dubbed ‘Zip Slip’ that affects thousands of projects across many industries.

The flaw, that remained hidden for years, could be exploited by attackers to execute arbitrary code on the vulnerable systems.

zip slipzip slip

The Zip Slip is an arbitrary file overwrite vulnerability that could be triggered with a directory traversal attack while extracting files from an archive,

Unfortunately, the flaw affects many archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

“Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution.”  states the blog post published by the experts.

“It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more (CVEs and full list here).”

Thousands of projects written in several programming languages (i.e. JavaScript, Ruby, Java, .NET and Go) from tech giants include vulnerable libraries and codes.

Attackers can trigger the Zip Slip flaw using a specially crafted archive file that holds directory traversal filenames (e.g. ../../evil.sh).

Once a vulnerable code o library has extracted the content of the archive, it would allow attackers to unarchive malicious files outside of the folder where it should reside.

“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.” continues the analysis.

“The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”

The researchers published proof-of-concept Zip Slip archives and released a video PoC for the Zip Slip flaw.

Experts shared two sample examples of malicious zip and tar files (for both Unix and windows files systems) with filenames that extract a file to the /tmp/ or \Temp\ folders

Since April, Snyk privately reported the flaw to the maintainers of all vulnerable libraries and projects, it is maintaining a GitHub repository listing all flawed projects. The repository is open to contributions from the wider community to ensure it holds the most up to date status.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Zip Slip, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

14 hours ago

Security Affairs newsletter Round 524 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

14 hours ago

Experts found rogue devices, including hidden cellular radios, in Chinese-made power inverters used worldwide

Chinese "kill switches" found in Chinese-made power inverters in US solar farm equipment that could…

17 hours ago

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…

1 day ago

Shields up US retailers. Scattered Spider threat actors can target them

Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting…

1 day ago

U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…

2 days ago