A critical and widespread arbitrary file overwrite vulnerability has been addressed in popular libraries of projects from HP, Amazon, Apache, Pivotal, and more.
Dubbed Zip Slip and discovered by the Snyk Security, the vulnerability exists when the code that extracts files from an archive doesn’t validate the file paths in the archive.
The security flaw was responsibly disclosed to the impacted parties starting in mid-April and is said to impact thousands of projects. The issue has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go.
According to Snyk Security, Java has been impacted the most, as it lacks a central library for the high level processing of archive files. Because of that, vulnerable code snippets “were being hand crafted and shared among developer communities such as StackOverflow,” the security researchers explain.
Exploitation is possible via a specially crafted archive containing directory traversal filenames. Numerous archive formats are affected by the bug, including tar, jar, war, cpio, apk, rar and 7z.
“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive,” Snyk Security explains.
The directory traversal vulnerability allows an attacker to access parts of the file system residing outside of their target folder. The attacker can then overwrite executable files and achieve remote command execution on the victim’s machine when these files are executed. The flaw can also be abused to overwrite configuration files or other sensitive resources.
“The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking,” the researchers explain.
First, the archive should contain one or more files designed to break out of the target directory when extracted. The contents of the archive need to be hand crafted, as archive creation tools “don’t typically allow users to add files with these paths,” Snyk Security notes. Armed with the right tools, however, an attacker can easily create files with these paths.
Second, the attacker needs to extract the archive, either using a library or own code.
“You are vulnerable if
you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation,” the researchers say.
In a GitHub repository, Snyk published a list of impacted libraries, which includes npm (language JavaScript), Java (language Java), .NET (languages: .NET and Go), Ruby gem (language Ruby), Go (language Go), Oracle (language Java), and Apache (language Java).
“Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarCube, OpenTable, Arduino, ElasticSearch, Selenium, Gradle, JetBrains and Google,” the researchers note.
Snyk also notes that some projects were patched despite being confirmed not vulnerable, while others that continue to use the vulnerable code implementation are said to be not exploitable. Specifically, “it is believed that it would not be possible to attack these projects in such a way that could lead to a malicious outcome,” the researchers say.
Related: Microsoft Patches Critical Flaw in Open Source Container Library
Related: GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries
