Thousands of software projects and libraries contain code that extracts archives in an insecure way, allowing attackers to write arbitrary files outside the intended directories. In many cases, this can lead to remote code execution.
The vulnerability, dubbed Zip Slip, was found by researchers from code security scanning firm Synk and is a form of directory traversal through specially crafted archives. For example, an archive can contain file names such as “../../evil.sh,” which would be written outside of the working directory if the code performing the extraction doesn’t properly validate paths.
“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” the Synk researchers said in a report. “The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”
Zip Slip “is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files,” the Synk researchers said. “The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow.”
The company has been coordinating the vulnerability disclosure with affected projects it has identified since April 15. Many of them have released new versions that address the vulnerability. Among them are the Apache commons-compress library; the unzipper, adm-zip, codehaus/plexus-archiver and zeroturnaround/zt-zip Node.js components; the DotNetZip.Semverd and SharpCompress .NET libraries and the mholt/archiver Go library.
However, there are other libraries and projects that haven’t been patched yet. Synk published a list on GitHub with all the affected projects identified so far and their patching status. Users are invited to contribute to this list if they identify additional frameworks and libraries that are vulnerable to Zip Slip.
“Vulnerable projects include projects in various ecosystems that either use the libraries mentioned above or directly include vulnerable code,” the researchers said. “Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, LinkedIn, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarCube, OpenTable, Arduino, ElasticSearch, Selenium, Gradle, JetBrains and Google.”
Due to the poor tracking of vulnerabilities in code dependencies by developers in general, but especially in enterprise environments, many applications will likely remain affected by this flaw for a long time. Serious and widespread flaws such as Zip Slip highlight why it’s important for developers to maintain accurate “bills of materials” for their software projects and to monitor vulnerabilities found and patched in third-party components.