Security researchers have discovered a critical, widespread archive extraction vulnerability dubbed “Zip Slip” that allows attackers to remotely overwrite arbitrary files on the victim’s system and invoke them to achieve remote command execution. The vulnerability lies in the way the way coders, plugins and libraries implement the process of decompressing an archived file.
“The lack of such a library led to vulnerable code snippets being handcrafted and shared among developer communities such as StackOverflow,” researchers said. “The vulnerability is exploited using a specially crafted archive that holds directory traversal file names (e.g. ../../evil.sh)... The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking.”
The Zip Slip vulnerability can affect numerous archive formats such as .tar, .jar, .war, .apk, .rar etc, researchers said.
“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” researchers explained. This could allow the attacker to replace or overwrite important system files, such as OS libraries or server configuration files, allowing for the malicious code to be executed. The exploit could also result in a system shutdown as well.
Furthermore, some of the code shared on StackOverflow were also found to be vulnerable to Zip Slip, leaving many desktops, mobile, or web apps written in Java vulnerable as well.
Victims will have to search their projects for the vulnerable code noted the researchers.
Snyk researchers discovered the flaw in April and have demonstrated the exploit in their proof-of-concept video. Affected library developers have since fixed the issue. They have also released a detailed technical paper for developers to better understand the flaw and test their own apps for it.
Application developers have been advised to update their libraries to a patched version.Snyk has also published a list on GitHub of affected processing libraries and projects that have been affected, fixed and deemed not exploitable.