<div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><a href="https://threatpost.com/zip-slip-flaw-affects-thousands-of-open-source-projects/132577/">https://threatpost.com/zip-slip-flaw-affects-thousands-of-open-source-projects/132577/</a></div><div dir="ltr"><p>A known critical vulnerability has been given the moniker Zip Slip
this week in an effort to raise awareness of its prevalence. A recent
analysis shows the bug affects multiple open-source ecosystems,
including JavaScript, Ruby, .NET and Go. As a result, <a href="https://github.com/snyk/zip-slip-vulnerability">thousands</a> of developer projects, including ones from Amazon, Apache, HP, Pivotal and many others.</p>
<p>Zip Slip is a form of directory traversal that can be exploited by
extracting files from an archive. An exploit allows attackers to
remotely overwrite archive files with their own content, and from there
pivot to achieving remote command execution on the machine.</p><div class="gmail-related-posts-inner"><article id="gmail-post-131967" class="gmail-secondary-post gmail-last gmail-post-131967 gmail-post gmail-type-post gmail-status-publish gmail-format-standard gmail-has-post-thumbnail gmail-hentry gmail-category-vulnerabilities gmail-category-web-security gmail-tag-adobe gmail-tag-adobe-acrobat gmail-tag-adobe-patch gmail-tag-adobe-patches gmail-tag-adobe-photoshop-cc gmail-tag-adobe-reader gmail-tag-critical-vulnerability gmail-tag-patch-tuesday">
</article>
</div>
<p>“An attacker can extract files from a ZIP file to a location outside
the destination folder, and when that’s possible, they can overwrite
files on the server to use for command execution, remotely,” said Danny
Grander, co-founder at Snyk Security and the lead responsible for
analyzing open-source projects for the flaw, in an interview. “This one
is very easy to turn into a code-execution attack, and it’s very
prevalent.”</p>
<p>The vulnerability is not new, he added; in fact, it has existed for
20 years as a concept. The difference is that up until now it has been
discovered specific to particular projects.</p>
<p>“We decided to look at open-source code in GitHub from the bottom up –
and saw hundreds of vulnerable implementations and projects, and some
are not yet fixed,” Grander said. “From our perspective we are expecting
that attacks could be happening. We decided to offer a consistent
description for the vulnerability and a name to underline the
significance and bring it to developers’ attention.”</p>
<p>According to the Snyk Security team<a href="https://snyk.io/blog/zip-slip-vulnerability/"> analysis</a> posted
Tuesday, the widespread issue is typically exploited using a specially
crafted ZIP file that holds directory traversal filenames (it also works
with other archive formats, including tar, jar, war, cpio, apk, rar
and 7z).</p>
<p>“The premise of the directory traversal vulnerability is that an
attacker can gain access to parts of the file system outside of the
target folder in which they should reside,” the researchers said in the
analysis [<a href="https://res.cloudinary.com/snyk/image/upload/v1528192501/zip-slip-vulnerability/technical-whitepaper.pdf">PDF</a>].
“The attacker can then overwrite executable files and either invoke
them remotely or wait for the system or user to call them, thus
achieving remote command execution on the victim’s machine. The
vulnerability can also cause damage by overwriting configuration files
or other sensitive resources, and can be exploited on both client (user)
machines and servers.”</p>
<p>To exploit the vulnerability, an attacker can use a specially crafted
malicious ZIP/archive file containing one or more files that break out
of the target directory when extracted. In a <a href="https://www.youtube.com/watch?v=l1MT5lr4p9o">proof-of-concept video</a>,
the researchers show a weaponized ZIP drive with two files: a “good.sh”
file which would be extracted into the target directory, and an
“evil.sh file,” whose job it is to traverse up the directory tree to hit
the root, and then add a file into the TMP directory. From there, an
attacker can move on to other parts of the network.</p>
<p>Success requires an extraction code for expanding the ZIP file that
does not perform validation checking on the file paths in the archive.
Thus, when the extraction process reaches the evil.sh file, it will
append the full path that points to a specific landing location in the
file system, resulting in evil.sh being written outside of the target
directory.</p>
<p>Developer projects should search for vulnerable code; the projects
that have been already identified as vulnerable (along with available
fixes) are <a href="https://github.com/snyk/zip-slip-vulnerability">listed here</a>.</p>
<p>“There are so many affected projects, and the responsibility flows to
the maintainers to fix this,” Grander told Threatpost. “Half have
issued a fix, but for the other half, it’s hard for maintainers to
address. We actually provided fixes for many libraries and did a big
chunk of work to help them get rid of this before going public with our
findings.”</p>
<p>The flaw is especially prevalent in Java, where there’s no central
library offering high-level processing of ZIP files. This lack of
centralization has led to vulnerable code snippets being handcrafted and
shared among developer communities such as StackOverflow, Grander said.</p>
<p>“If I don’t provide a core archive-handling library with a proper API
that’s not vulnerable, the application is going to be prone to attack,”
he told us. “Ecosystems that don’t have a central library with a
correct API results developers re-using vulnerable code from various
open-source libraries. So from a defense perspective, if you’re a
developer using a vulnerable library, you need to upgrade to a new fixed
version.”</p><br><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>