ZipSlip- All you need to know about this new onboarded vulnerability
By Ashish Chhatani - May 28, 2018
Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution.
We use zip files on daily basis whenever more than one files need to be uploaded. tar, jar, war, cpio, apk, rar, and 7z are most widely used zip file formats that we use. Unfortunately, all these versions are found vulnerable to Zip Slip attack.
What is ZipSlip?
The Snyk Security Research Team discovered an arbitrary file write generic vulnerability, that can be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war) archive, that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, if the extraction tool used does not make sufficient checks, the final path ends up outside of the target folder.
“Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution. It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more.” Mentioned Synk team in their technical white paper.
In a nutshell, attackers can create Zip archives that use path traversal to overwrite important files on affected systems, either destroying them or replacing them with malicious alternatives.
Attackers might use that ability to target files they can execute remotely, such as parts of a website, or files that a computer or user are likely to run anyway, like popular applications or system files.
Zip Slip isn’t a problem with the Zip file format though, it’s a bit of bad programming that’s been repeated over and over and over again, in lots of different projects:
Snyk found the vulnerability in 15 archive extraction software libraries that don't validate file paths in an archive file.
The adversary will identify the application or system which is having file upload functionality and allows the zip file uploads. A zip file will be created which contains malicious versions of the files they want to overwrite.
The second thing you’ll need to exploit this vulnerability is to extract the archive, either using your own code or a library. The vulnerability exists when the extraction code omits validation on the file paths in the archive.
The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking.
The Zip file format allows files to be stored with paths that specify where those files should be placed when the archive is unzipped. Crucially, the paths can be relative paths like ../
If an adversary knows the location of both the target file and the current working directory of the application they’re exploiting, they can work out the right relative path to unzip a malicious file right on top of a target file.
At the same time, they can attempt to target a file even if they don’t know the location of the current working directory simply by adding a whole bunch of extraneous dot-dot-slashes to the path as you can’t traverse any further up the filesystem than the root, /.
Am I Vulnerable?
Security researchers from Synk have stated that you are vulnerable to this if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation. The Snyk team has kept a GitHub repository Lin which all vulnerable projects are listed out along with the responsible disclosure and fixes as well. The repository is made open source for contributions from the wider community to ensure it holds the most up to date status.
The vulnerability is like a Trojan Horse, the malicious archive must first enter the system, normally achieved with a downloaded of a dependency. Once downloaded there’s no direct danger, the user must take some specific actions before becoming a victim.
If you maintain software that does its own unzipping you should test it to see if it’s vulnerable. Now might also be a good time to look at whether or not a standard library would be a better option, whether your systems are configured with defence in depth in mind, and if your applications are operating in accordance with the principle of least privilege.
Synk team has released a video as well to understand the vulnerability precisely.
Click here to see the video.