Hand-made archive file processing software libraries may have left thousands of open source projects vulnerable to remote command execution.
The widespread Zip Slip archive extraction bug was disclosed today by security firm Snyk, which reports it affects Apache Hadoop and projects from HP, Amazon, Oracle and others via software libraries that developers have hand-crafted so their software can process .zip archive files.
This functionality is often added because some ecosystems, such as Java, don’t provide a central software library that enables full extraction of archive files. So, developers build their own and share them on developer communities such as StackOverflow.
According to Snyk, this sharing of private or public code has resulted in the common error multiplying across various projects. Besides .zip, it can also affect other archive formats such as .tar, .jar, .war, .cpio, .apk, .rar, and 7z.
The attacker needs to use a specially crafted archive file containing extra directory paths that wouldn’t normally be present if the archive file was created using standard tools.
An attacker could however easily rig the files so they break out of a target directory when it’s extracted. Hence, it’s called a directory traversal vulnerability.
The vulnerability found in many code snippets and software libraries is due to a failure to validate file paths in an archive file.
Many libraries have since fixed this issue during Snyk’s coordinated disclosure, which began in April, according to Snyk’s blogpost. However, developers that use any of vulnerable versions of these archive processing libraries will need to update to a fixed version.
“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” Snyk explains in a technical paper.
“The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.”
Snyk has published a list on GitHub of affected archive processing libraries for Java, .NET, Oracle, Apache, Ruby, and Go software.