[BreachExchange] Zip Slip Flaw Affects Thousands of Open-Source Projects

Sun Jun 10 21:32:51 EDT 2018

https://threatpost.com/zip-slip-flaw-affects-thousands-of-open-source-projects/132577/

A known critical vulnerability has been given the moniker Zip Slip this
week in an effort to raise awareness of its prevalence. A recent analysis
shows the bug affects multiple open-source ecosystems, including
JavaScript, Ruby, .NET and Go. As a result, thousands
<https://github.com/snyk/zip-slip-vulnerability> of developer projects,
including ones from Amazon, Apache, HP, Pivotal and many others.

Zip Slip is a form of directory traversal that can be exploited by
extracting files from an archive. An exploit allows attackers to remotely
overwrite archive files with their own content, and from there pivot to
achieving remote command execution on the machine.

“An attacker can extract files from a ZIP file to a location outside the
destination folder, and when that’s possible, they can overwrite files on
the server to use for command execution, remotely,” said Danny Grander,
co-founder at Snyk Security and the lead responsible for analyzing
open-source projects for the flaw, in an interview. “This one is very easy
to turn into a code-execution attack, and it’s very prevalent.”

The vulnerability is not new, he added; in fact, it has existed for 20
years as a concept. The difference is that up until now it has been
discovered specific to particular projects.

“We decided to look at open-source code in GitHub from the bottom up – and
saw hundreds of vulnerable implementations and projects, and some are not
yet fixed,” Grander said. “From our perspective we are expecting that
attacks could be happening. We decided to offer a consistent description
for the vulnerability and a name to underline the significance and bring it
to developers’ attention.”

According to the Snyk Security team analysis
<https://snyk.io/blog/zip-slip-vulnerability/> posted Tuesday, the
widespread issue is typically exploited using a specially crafted ZIP file
that holds directory traversal filenames (it also works with other archive
formats, including tar, jar, war,  cpio, apk, rar and 7z).

“The premise of the directory traversal vulnerability is that an attacker
can gain access to parts of the file system outside of the target folder in
which they should reside,” the researchers said in the analysis [PDF
<https://res.cloudinary.com/snyk/image/upload/v1528192501/zip-slip-vulnerability/technical-whitepaper.pdf>].
“The attacker can then overwrite executable files and either invoke them
remotely or wait for the system or user to call them, thus achieving remote
command execution on the victim’s machine. The vulnerability can also cause
damage by overwriting configuration files or other sensitive resources, and
can be exploited on both client (user) machines and servers.”

To exploit the vulnerability, an attacker can use a specially crafted
malicious ZIP/archive file containing one or more files that break out of
the target directory when extracted. In a proof-of-concept video
<https://www.youtube.com/watch?v=l1MT5lr4p9o>, the researchers show a
weaponized ZIP drive with two files: a “good.sh” file which would be
extracted into the target directory, and an “evil.sh file,” whose job it is
to traverse up the directory tree to hit the root, and then add a file into
the TMP directory. From there, an attacker can move on to other parts of
the network.

Success requires an extraction code for expanding the ZIP file that does
not perform validation checking on the file paths in the archive. Thus,
when the extraction process reaches the evil.sh file, it will append the
full path that points to a specific landing location in the file system,
resulting in evil.sh being written outside of the target directory.

Developer projects should search for vulnerable code; the projects that
have been already identified as vulnerable (along with available
fixes) are listed
here <https://github.com/snyk/zip-slip-vulnerability>.

“There are so many affected projects, and the responsibility flows to the
maintainers to fix this,” Grander told Threatpost. “Half have issued a fix,
but for the other half, it’s hard for maintainers to address. We actually
provided fixes for many libraries and did a big chunk of work to help them
get rid of this before going public with our findings.”

The flaw is especially prevalent in Java, where there’s no central library
offering high-level processing of ZIP files. This lack of centralization
has led to vulnerable code snippets being handcrafted and shared among
developer communities such as StackOverflow, Grander said.

“If I don’t provide a core archive-handling library with a proper API
that’s not vulnerable, the application is going to be prone to attack,” he
told us. “Ecosystems that don’t have a central library with a correct API
results developers re-using vulnerable code from various open-source
libraries. So from a defense perspective, if you’re a developer using a
vulnerable library, you need to upgrade to a new fixed version.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180610/7ef37b4f/attachment.html>