[SingCERT] Alert on Zip Slip Vulnerability for Archive Files

Published on Friday, 08 June 2018 10:46

Background

On 5 June 2018, Snyk Security team disclosed a critical archive extraction vulnerability dubbed Zip Slip. This vulnerability allows attackers to perform arbitrary remote command execution on affected systems. As a result, thousands of projects, including projects by HP, Amazon, Apache, Pivotal and many more, are affected.

The Zip Slip vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central software library for unpacking archive files. The lack of such a library led to vulnerable code snippets being crafted and shared among developer communities such as StackOverflow.

Affected Programming Languages

Affected libraries used by programming languages include, but are not limited to:

  • Java
  • .NET
  • Oracle
  • Apache
  • Ruby
  • Go
Click here for the complete list of affected libraries used by programming languages.

Impact

The Zip Slip vulnerability is exploited using a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted. The attackers can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on a victim's machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both users’ machines and servers. It affects numerous archive formats such as zip, tar, jar, war, cpio, apk, rar and 7z.

Recommendations

Software developers are advised to:

  • check if their projects contain the Zip Slip vulnerability code. Click here for more information.
  • use fixed version of the libraries, in which vulnerable codes have been removed, for their project development
  • add Zip Slip security testing into their application build pipeline; for instance, implementing measures to validate file paths in the archives
References

https://snyk.io/research/zip-slip-vulnerability#introduction

https://www.techrepublic.com/article/attackers-can-hide-malware-in-archive-files-with-zip-slip-flaw-heres-how-to-fight-it/

https://github.com/snyk/zip-slip-vulnerability

https://www.zdnet.com/article/open-source-security-zip-slip-critical-flaw-hits-thousands-of-projects-update-now/