Security researchers have disclosed today details about a critical vulnerability impacting open source coding libraries that handle archived files.
Discovered by the researchers from Snyk, the "Zip Slip" vulnerability is an issue in the way coders, plugins, and libraries have implemented the process of decompressing an archived file.
Numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z, are affected, meaning this is more of a theoretical issue, rather than a specific coding bug.
Vulnerability leads to files being unzipped in the wrong places
According to researchers, Zip Slip is a combination between an "arbitrary file overwrite" and "directory traversal" issues that can lead to situations where an attacker can unzip files outside the normal unzip path and overwrite sensitive files, such as critical OS libraries or server configuration files.
"The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking," the Snyk team said today in a security advisory.
Researchers said they found this flaw in April, and they have been working with the maintainers of several open-source libraries that were vulnerable to this attack.
Multiple open-source libraries affected
The Snyk team has published a list of libraries affected by Zip Slip on GitHub.
While libraries written in several programming languages are known to be affected —such as JavaScript, Python, Ruby, .NET, Go, and Groovy—, the issue mainly affects the Java ecosystem because there's no official library recommended for handling archived files.
Instead, developers have created and used an assortment of libraries for this purpose, most of which are vulnerable to Zip Slip. Furthermore, the issue is so widespread that even some of the code shared on StackOverflow was found to be vulnerable to Zip Slip, meaning that many desktop, mobile, or web apps written in Java may be vulnerable to Zip Slip without developers even knowing.
To help developers understand the Zip Slip attack and aid them in detecting if their apps are vulnerable, the Snyk team has published a technical paper detailing the Zip Slip bug in much more depth.
Researchers have also published proof-of-concept Zip Slip archives so developers can test their apps for the vulnerability. A demo video is also available below.
Comments
mikeloeven - 5 years ago
Does this only effect web applications or can this effect desktop archive programs as well ?
campuscodi - 5 years ago
Both, if the app handles unzip operations and uses vulnerable code. It all depends on the code the app uses for decompressing files.