Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zip Slip Vulnerability Affects Thousands of Projects (theregister.co.uk)

Posted by BeauHD on from the heads-up dept.

Yhcrana writes: Considering the video in the story makes it pretty simple, this is not something I would like to have happen. Apparently it is a flaw in the libraries that are being used by Oracle, Apache, and others. The Register reports: "Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system -- and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, is a path traversal flaw that can potentially be exploited to perform arbitrary code execution attacks. It affects .zip, .bz2, .tar, .xz, .war, .cpio, and .7z archives.

The bugs, according to Snyk, lie in code that unpacks compressed archives, hence the "Zip Slip" title. When software does not properly check and sanitize file names within the archive, attackers can set the destination path for an unpacked file to an existing folder or file elsewhere on a system. When that file is extracted, it will overwrite the existing data in that same path."

4 of 127 comments (clear)

  1. I remember this from a quarter century ago by tap · · Score: 5, Interesting

    I used this to hack a WWIV based BBS system around 25 years ago. Heard about it from somewhere. What you did was place a file with a "..\..\" path into the archive and upload it to the BBS files section. The board would automatically unpack it on upload, or maybe you had to invoke a "download a file from inside a zip" feature on it, my memory is hazy on that. But it would unpack the zip, it would overwrite a executable that was part of the BBS software, and then when it ran that your trojan would run.

    Isn't a press release about this kind of like a press release about the concept of buffer overflow exploits?

  2. Vulnerability? by mentil · · Score: 5, Interesting

    I thought this was standard, expected behavior for archive files?
    Unzip software is supposed to give a prompt that a file is going to be overwritten, to mitigate that.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  3. Re:Holy Moly! This is some seriously creepy sh*t! by msauve · · Score: 5, Informative

    Oh, people have thought of it. The issue has been known for years. The only thing that's surprising is that there's still software which allows it, which can only be due to incompetence. Heck, here's a security book describing the vector (directory traversal) dating to 1996, and it was known long before then.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  4. Re:archive vs compressor by dgatwood · · Score: 5, Informative

    Holy crap! I just looked at GNU tar's version history. The docs have said that it skips ".." members since IIRC the late 1990s, but apparently it never actually worked, and they just fixed it in 2016!

    *redacted swearing*

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.