LTS Secure Warning: Attackers deploying malicious malware in archive file with Zip Slip flaw

Snyk security researchers at British software have identified a critical vulnerability “Zip Slip” that affect thousands of projects across many industries. The vulnerability is an issue in the way of coders, plugins, and libraries, that have implemented the process of decompressing an archive file. Mostly it is targeting all the archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

Technical Details

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high-level processing of archive (e.g. Zip) files.

The lack of such a library led to vulnerable code snippets being handcrafted and shared among developer communities such as StackOverflow. The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

Impact

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive.

  • The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside.
  • The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
  • This vulnerability can cause damage by overwriting configuration files or other sensitive resources and can be exploited on both client’s machines and servers.

Recommended Action

Search through your projects for the vulnerable code. In each ecosystem section, you’ll see example snippets of code highlighting the specific vulnerability.

The accompanying validation code can be added to the vulnerable snippet to test for directory traversal. You should search through your code for similar extract patterns, and ensure you’re on the fixed versions of the archive processing libraries that we have found to be Vulnerable.

Add Zip Slip Security testing to your application build pipeline. If you’d prefer not to search through your direct and transitive dependencies to determine if you’re using a vulnerable library, you can choose a dependency vulnerability scanning tool. It’s a good practice to add security testing into your development lifecycle stages, such as during development, CI, deployment, and production. You can test your own projects (all the ecosystems mentioned above are supported) to determine if they are vulnerable to Zip Slip.

 

Snyk has released a vulnerability report on Zip Slip