Neurosis ... Eternal chuffin' Neurosis.
That will be the legacy of the interweb.
Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system – and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, are path traversals that can potentially be …
No, this isn't a zip bomb. Those are zip files or other archive files that decompress to a bunch of data. Sometimes they are also recursive so they decompress to multiple copies of themselves. The goal of an archive bomb is making the system run out of resources: memory or disk if the zips expand to a lot of data, processor if they are recursive. Thus, the program running them will crash or run into problems.
This file wouldn't cause a crash. Instead, it would write files to a location that isn't planned. For example, imagine that you unzip a file on windows in c:\Users\me\extract. Normally, all the contents will be under that folder. The zip file, however, can be constructed so that it also decompresses to c:\windows\system32\explorer.exe. This overwrites it with a different file that contains malware, and now running the formerly trusted explorer process will infect the system. The zip is not meant to crash the system, but to infect it.
"The zip file, however, can be constructed so that it also decompresses to c:\windows\system32\explorer.exe."
So long as the file isn't in use, of course...which it will be, unless you're using something else as SHELL. Unless it somehow manages to terminate the process when it reaches that point in the archive, overwrite it and when the shell reloads - that's when your'e in for a world of pain.
unpack a compressed file and overwrite system files....
*sigh*
I have a ruby on rails app that has yet to be burnt to the ground. When I inherited it, it was running as root. It took me all of 20 minutes to fix it to run as other than root. Oddly, its using one of these libraries, and it cannot now write to system space. can bugger up it's own install but not the system.
Mine's the one with the flame thrower in the backpack. Looks like I'ma needin that ....
This post has been deleted by its author
*Sigh*, I tested this as soon as THN broke it on twitter, its just for libraries.
Untarring and unzipping as root is dumb (I did it on a throwaway vm so you don't have to...) but linux command line zip and tar are both patched in the shell anyway, since the 1990's for tar and somewhere around 2006 for zip. I didn't even bother testing the other variants. It really is the old 2006 path recursive attack that some libraries were never fixed for still in use, except it has a logo, and people running round twitter trying to make a "name" for themselves in the security community to get hired.
root@testbox:/home/testuser/zip-slip-vulnerability/archives# tar -xvf zip-slip.tar
good.txt
tar: Removing leading `../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../' from member names
tar: ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt: Member name contains '..'
tar: Exiting with failure status due to previous errors
root@testbox:/home/testuser/zip-slip-vulnerability/archives# ls -la *evil*
ls: cannot access '*evil*': No such file or directory
root@testbox:/home/testuser/zip-slip-vulnerability/archives#
root@testbox:/home/testuser/zip-slip-vulnerability/archives# unzip zip-slip.zip
Archive: zip-slip.zip
extracting: good.txt
warning: skipped "../" path component(s) in ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt
extracting: tmp/evil.txt
root@testbox:/home/testuser/zip-slip-vulnerability/archives# ls -lR tmp
tmp:
total 4
-rw-r--r-- 1 root root 20 Apr 15 22:04 evil.txt
root@testbox:/home/testuser/zip-slip-vulnerability/archives#
If you're going to run "unzip" as an administrator then you're very careless.
Or you're doing it deliberately. It's been a way to install or update stuff since forever. If you didn't intend to give an absolute path when you created your tar it's also been a way to make a balls-up for just as long. I'm sure somebody would have a "Who, me?" story on that.
HEY, YOU KIDS! WHO SAID YOU COULD RESURRECT OUR VULNERABILITY? THERE'S A REASON WE KILLED THAT ONE OFF DECADES AGO!
Honestly, you try to teach 'em, you try to bring 'em up right, but will they listen? No. Of course not. What do us grey haired old fuddy-duddies know about code testing?
Jan. 1st - "insecure code [...] fixes [...] pushed out to the public so people can install them and be safe." You were unsafe before. You install updates. You are now safe.
Jan. 8th - "insecure code [...] fixes [...] pushed out to the public so people can install them and be safe." You were unsafe before. You install updates. You are now safe.
Jan. 15th - "insecure code [...] fixes [...] pushed out to the public so people can install them and be safe." You were unsafe before. You install updates. You are now safe.
Jan. 22nd - "insecure code [...] fixes [...] pushed out to the public so people can install them and be safe." You were unsafe before. You install updates. You are now safe.
...we keep using that word, "safe". I don't think it means what we seem to think it means.