Zip Slip Vulnerability Affecting Thousands of Apps Puts Systems at Risk

Thousands of software projects and libraries contain code that extracts archives in an insecure way, allowing attackers to write arbitrary files outside the intended directories. In many cases, this can lead to remote code execution.

The vulnerability, dubbed Zip Slip, was found by researchers from code security scanning firm Synk and is a form of directory traversal through specially crafted archives. For example, an archive can contain file names such as “../../evil.sh,” which would be written outside of the working directory if the code performing the extraction doesn’t properly validate paths.

“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” the Synk researchers said in a report. “The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”

It turns out that thousands of open source projects, development frameworks and libraries written in various programming languages have this problem. The flaw can be exploited with different types of archives including tar, jar, war, cpio, apk, rar and 7z, and affects multiple ecosystems including JavaScript, Ruby, .NET, Go and Java.

Zip Slip “is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files,” the Synk researchers said. “The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow.”

The company has been coordinating the vulnerability disclosure with affected projects it has identified since April 15. Many of them have released new versions that address the vulnerability. Among them are the Apache commons-compress library; the unzipper, adm-zip, codehaus/plexus-archiver and zeroturnaround/zt-zip Node.js components; the DotNetZip.Semverd and SharpCompress .NET libraries and the mholt/archiver Go library.

However, there are other libraries and projects that haven’t been patched yet. Synk published a list on GitHub with all the affected projects identified so far and their patching status. Users are invited to contribute to this list if they identify additional frameworks and libraries that are vulnerable to Zip Slip.

“Vulnerable projects include projects in various ecosystems that either use the libraries mentioned above or directly include vulnerable code,” the researchers said. “Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, LinkedIn, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarCube, OpenTable, Arduino, ElasticSearch, Selenium, Gradle, JetBrains and Google.”

The company’s researchers have published vulnerable code snippets for Java, Groovy, JavaScript, .NET, Go, Ruby and Python that could help developers determine if their own apps are vulnerable. The company’s commercial code dependency scanning tool, which has a free plan for individuals and small organizations, can be used to automatically detect if a software project uses one of the vulnerable libraries.

Due to the poor tracking of vulnerabilities in code dependencies by developers in general, but especially in enterprise environments, many applications will likely remain affected by this flaw for a long time. Serious and widespread flaws such as Zip Slip highlight why it’s important for developers to maintain accurate “bills of materials” for their software projects and to monitor vulnerabilities found and patched in third-party components.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin