<
>

CyberSecurity Asean security alert on Zip Slip Vulnerability for Archive Files

This alert is originally published and can be viewed at www.csa.gov.sg
 
Background
 
On 5 June 2018, Snyk Security team disclosed a critical archive extraction vulnerability dubbed Zip Slip. This vulnerability allows attackers to perform arbitrary remote command execution on affected systems. As a result, thousands of projects, including projects by HP, Amazon, Apache, Pivotal and many more, are affected.
 
The Zip Slip vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central software library for unpacking archive files. The lack of such a library led to vulnerable code snippets being crafted and shared among developer communities such as StackOverflow.
 
Affected Programming Languages
 
Affected libraries used by programming languages include, but are not limited to:
 

  • Java
  • .NET
  • Oracle
  • Apache
  • Ruby
  • Go

 
Click here for the complete list of affected libraries used by programming languages.
 
Impact
 
The Zip Slip vulnerability is exploited using a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted. The attackers can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on a victim's machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both users’ machines and servers. It affects numerous archive formats such as zip, tar, jar, war, cpio, apk, rar and 7z.
 
Recommendations
 
Software developers are advised to:
 

  • check if their projects contain the Zip Slip vulnerability code. Click here for more information.
  • use fixed version of the libraries, in which vulnerable codes have been removed, for their project development
  • add Zip Slip security testing into their application build pipeline; for instance, implementing measures to validate file paths in the archives

 
References
 
https://snyk.io/research/zip-slip-vulnerability#introduction
 
https://www.techrepublic.com/article/attackers-can-hide-malware-in-archive-files-with-zip-slip-flaw-heres-how-to-fight-it/
 
https://github.com/snyk/zip-slip-vulnerability
 
https://www.zdnet.com/article/open-source-security-zip-slip-critical-flaw-hits-thousands-of-projects-update-now/  

You might also like
Most comment
share us your thought

0 Comment Log in or register to post comments