UPDATED 20:46 EST / JUNE 05 2018

INFRA

‘Zip Slip’ vulnerability affects projects across multiple coding languages and companies

Researchers at cybersecurity firm Synk Ltd. have uncovered a new vulnerability that affects thousands of projects, including ones designed across multiple programming languages used by some of the largest companies in the business.

Dubbed “Zip Slip,” the issue is an arbitrary file overwrite vulnerability — that is, the ability to overwrite an existing file. It’s triggered by a directory traversal attack, an HTTP attack that allows attackers to access restricted directories, while extracting files from an archive.

As the name suggests, the vulnerability relates to archiving formats such as the well-known ZIP format but also covers a range of others, including tar, jar, war, cpio, apk, rar and 7z. According to the researchers, the vulnerability can lead to situations where an attacker can unzip files outside the normal unzip path and overwrite sensitive files.

The files that can be overwritten include those coded in JavaScript, Ruby, .NET and Go, but it’s especially prevalent in Java and affects thousands of projects, including ones from Hewlett Packard Enterprise Co., Amazon.com Inc., Apache open-source projects, Pivotal Software Inc. and many more.

“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” the researchers explained. “The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”

Along with publishing a technical paper explaining the vulnerability, the researchers also published details of a proof of concept attack using the method.

“Given the severity and widespread nature of the ZipSlip vulnerability, I very strongly recommend you spend some time ensuring you are not vulnerable either through other libraries or your own code,” Synk’s Danny Grander wrote in a blog post that included the details of the proof-of-concept attack.

Image: Synk

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU