Open Source Projects Hit by a Critical Security Flaw

0
996
Advertisement

Faults in hand-made archive file-processing software libraries spread flaw to thousands of open-source projects

Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution. It was discovered and disclosed by the Snyk Security team. This will affect thousands of projects including open-source web application projects.

Transversal attack

In this case, the code snippets contain a vulnerability, dubbed Zip Slip, that exposes an application to a directory traversal attack. This flaw would allow an attacker to reach the root directory and from there enable remote command execution.

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high-level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being handcrafted and shared among developer communities such as StockOverflow.

Exploitable application flow

Advertisement

The two parts required to exploit the application flow are malicious archive and extraction code that does not perform validation checking. To exploit Zip Slip, an attacker needs to use a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted.

The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside the target folder in which they should reside.

Are you vulnerable?

You are vulnerable if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation.

The snyk security team is maintaining a Github repository listing all projects that have been found vulnerable to Zip Slip and have been responsibly disclosed to, including fix dates and versions. The repository is open to contributions from the wider community to ensure it holds the most up to date status.

Advertisement

LEAVE A REPLY

Please enter your comment!
Please enter your name here