An archive extraction vulnerability known as Zip Slip is putting thousands of open source projects across many ecosystems at risk. These projects are within recognizable companies including Amazon, HP, Apache and many others.

The June 5, 2018 disclosure was published shortly after the Zip Slip vulnerability was discovered by the Synk Security team sometime during the month of April 2018.

The critical vulnerability represents a major threat on a wider scale and could potentially harm multiple ecosystems including Javascript, Ruby, .NET and Go. The disclosure also warned that among all systems listed above Java was the most susceptible because it has no central library offering high-level processing of archive files.

What Is the Zip Slip Vulnerability?

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. Attackers can exploit the vulnerability remotely by overwriting archive files with their own content, and from there pivot to achieving remote command execution on the machine. The vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

The Exploit

A malicious archive and extraction code that does not perform validation checking are used to exploit this vulnerability. Using this ZipSlip attack an attacker can overwrite legitimate executable files or configuration files for an application to trick the targeted system or the user into running it, thus achieving remote command execution on the victim’s machine.

The vulnerability can also cause damage by overwriting configuration files or other sensitive resources and can be exploited on both client (user) machines and servers.

Who Is Vulnerable to This Attack?

Any users of a library which contains the Zip Slip vulnerability or if their project directly contains the vulnerable code, which extracts files from an archive without the required directory validation.

Affected Libraries and Fixes

Below is a list of vulnerable libraries. Fixes are also provided where applicable.

Affected Projects and Fixes

Below is a list of vendor projects. Fixes are also provided where applicable.

Related Posts

VPNFilter Malware: What we know so far on the router threat: A new destructive VPNFilter malware has compromised 500,000 networking devices worldwide

Speculative Store Buffer Bypass, Rogue System Register Read:Bug bounties pay off, uncovering two more side-channel flaws in the wake of Meltdown and Spectre

Double Kill Exploit Jumps From MS Office to Internet Explorer: The Double Kill exploit of a VBScript Engine vulnerability uses a first-of-its-kind attack method we’ll likely see more of in the future