Zip Slip vulnerability affects thousands of projects

An arbitrary file overwrite vulnerability that can be exploited by attackers to achieve code execution on a target system affects a myriad of projects and multiple ecosystems, Snyk researchers have revealed.

Zip Slip vulnerability

About the vulnerability

The vulnerability, dubbed Zip Slip by the researchers, has been seen in the past before, but was never this widely spread, Snyk CEO Guy Podjarny told Help Net Security.

“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” the company explained.

“The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking.”

Creating a malicious archive is easy with the right tools, the researchers said, and vulnerable libraries/code snippets are plentiful.

“Code is complicated, and developers are not security experts. Their focus is typically around delivering code on time and so can easily miss security flaws, even if the practice is known,” Podjarny noted.

“In today’s ever expanding open source world, developers rely heavily on shared libraries and copy-pasting code from social networks like StackOverflow to keep up. Such reuse helps accelerate development, but also means that vulnerability in shared code (library or other) gets spread dramatically faster, as we’ve seen in the case of Zip Slip.”

The company has also released a video demo of how the vulnerability can be exploited:

How widespread is it?

The Zip Slip vulnerability can affect numerous archive formats.

It has been found in many repositories across many ecosystems (Java, JavaScript, Ruby, .NET and Go) and in libraries that many thousands of applications depend on.

It is especially prevalent in Java, the researchers found, because there is no central library offering high level processing of archive files, so developers had to write their own code or use (vulnerable) shared code.

A list of affected libraries and projects can be found here, and the good news is that many project maintainers have already fixed the problem.

“We have worked extremely hard over the last few months to ensure that as many libraries, applications and frameworks have been made aware of the Zip Slip where we found them to be vulnerable. This includes fix advice where required and often raising PRs against third-party projects,” Podjarny shared.

“As a result, there are many major libraries and projects that have already been fixed! However, that doesn’t mean that everyone will switch to the latest version of these libraries.”

The company has also shared examples of vulnerable and directory traversal validation code in the various ecosystems, so developers can use them to check whether their archive processing code is vulnerable and fix the problem.

There’s been no mention of attackers exploiting the flaw, although there are tools out there that can be used to facilitate an attack.

“Detecting a system that was already exploited is very hard, as the result of the exploit is simply files on the system,” Podjarny noted.

“Exploit detection tools can identify attacks as they happen by inspecting zip and other archive files brought into the network from different sources, examine the files listed in them, and flag any file referring to external folders (e.g. ../../evil.exe). Note that archive files could either be uploaded to the application or downloaded from within, so both traffic sources should be monitored.”

Don't miss