Security researchers today revealed details of a critical vulnerability affecting open source libraries that handle archives.
Discovered by Synk researchers, the “Zip Slip” vulnerability is a problem in the way encoders, plug-ins and libraries have implemented the process of decompressing an archived archive.
Many file formats, including tar, jar, war, war, cpio, apk, rar, and 7z, are affected, which means that this is more of a theoretical problem than a specific coding error.
Vulnerability causes files to be unpacked in the wrong places
According to the researchers, Zip Slip is a combination of an “arbitrary file overwrite” and a “directory path” that can lead to situations where an attacker can unzip files outside the normal decompression path and overwrite sensitive files, such as critical operating system libraries or the Configuration File server.
“The two parts necessary to exploit this vulnerability is a malicious file and an extraction code that does not perform validation verification,” Synk’s team said today in a security advisory.
Researchers said they found this flaw in April and have been working with maintainers of several open source libraries that were vulnerable to this attack.
Several open source libraries affected
The Synk team has posted a list of libraries affected by Zip Slip on GitHub.
Although libraries written in various programming languages are known to be affected, such as JavaScript, Python, Ruby,.NET, Go, and Groovy, the problem mainly affects the Java ecosystem because an official library is not recommended for handling compressed files.
Instead, developers have created and used a variety of libraries for this purpose, most of which are vulnerable to Zip Slip. Also, the problem is so widespread that it was even found that some codeshares in StackOverflow were vulnerable to Zip Slip, meaning that many desktops, mobile, or web applications are written in Java can be susceptible to Zip Slip without developers know it.
To help developers understand the Zip Slip attack and help them detect if their applications are vulnerable, the Synk team has released a white paper detailing the Zip Slip bug in much greater depth.
Researchers have also released proof-of-concept Zip Slip files for developers to test their applications for the vulnerability.
A demonstration video is also available below: