LTS Secure Warning: Attackers deploying malicious malware in archive file with Zip Slip flaw

Snyk security researchers at British software have identified a critical vulnerability “Zip Slip” that affect thousands of projects across many industries. The vulnerability is an issue in the way of coders, plugins, and libraries, that have implemented the process of decompressing an archive file. Mostly it is targeting all the archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

Technical Details

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high-level processing of archive (e.g. Zip) files.

The lack of such a library led to vulnerable code snippets being handcrafted and shared among developer communities such as StackOverflow. The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

Impact

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive.

  • The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside.
  • The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
  • This vulnerability can cause damage by overwriting configuration files or other sensitive resources and can be exploited on both client’s machines and servers.

Recommended Action

Search through your projects for the vulnerable code. In each ecosystem section, you’ll see example snippets of code highlighting the specific vulnerability.

The accompanying validation code can be added to the vulnerable snippet to test for directory traversal. You should search through your code for similar extract patterns, and ensure you’re on the fixed versions of the archive processing libraries that we have found to be Vulnerable.

Add Zip Slip Security testing to your application build pipeline. If you’d prefer not to search through your direct and transitive dependencies to determine if you’re using a vulnerable library, you can choose a dependency vulnerability scanning tool. It’s a good practice to add security testing into your development lifecycle stages, such as during development, CI, deployment, and production. You can test your own projects (all the ecosystems mentioned above are supported) to determine if they are vulnerable to Zip Slip.

 

Snyk has released a vulnerability report on Zip Slip

LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013

Leave us a message Leave us a message

← Prev Step

Thanks for contacting us. We'll get back to you as soon as we can.

Please provide a valid name, email, and question.

Powered by LivelyChat
Powered by LivelyChat Delete History