Zip Slip Vulnerability Advisory

Zip Slip Vulnerability Advisory

junho 7, 2018 | Adeline Zhang

On 5th June 2018 Snyk Security team disclosed a Zip Slip vulnerability, which could result in potential command execution using a specially crafted archive that holds directory traversal filenames .

Reference: https://snyk.io/research/zip-slip-vulnerability

Description

Attackers could use a specially crafted archive holding directory traversal filenames (e.g. ../../evil.sh) to trigger this vulnerability. Once a vulnerable code database extracts the content of the archive, attackers could decompress malicious files residing in the target folder. “The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside”, pointed out by the researchers. The attacker can then overwrite executable files to either invoke them remotely or wait for the system/user to call them, so as to run commands remotely on the victim’s machine.

Impact

Zip Slip vulnerability has affected thousands of projects, including AWS Toolkit for Eclips, Spring, Pinot OLAP database of LinkedIn, Apache / Twitter Heron, Alibaba JStorm, Jenkins, and Gradle. Other Cloud service providers also found some troubles. With more information disclosed, Java is found to be particularly vulnerable due to the lack of central library that offers high level processing of archives. Java databases affected by this vulnerability include Java java.util.zip, Apache commons-compres, Apache Ant, ZeroTurnaround zt-zip and zip4j.

For details, please see: https://github.com/snyk/zip-slip-vulnerability

Solutions

Search through your projects for vulnerability code and ensure you are on a mitigated version of the archive processing libraries (https://github.com/snyk/zip-slip-vulnerability).