Experts at Snyk, a cybersecurity firm, have identified a critical vulnerability dubbed “Zip Slip,” which affects several projects across various industries.
The British security company’s experts indicate that attackers could exploit the flaw—which has remained concealed for quite some time—to execute arbitrary codes on vulnerable systems.
How Zip Slip Works
The Zip Slip vulnerability is surprisingly not a new phenomenon, although it had not been as widespread as it is now. It has the capacity to overwrite existing sensitive files. What triggers this vulnerability is a directory traversal attack, which permits attackers to gain access to restricted directories while also extracting data from an archive.
As its name suggests, Zip Slip relates to archiving formats like the popular zip format, while it also covers a wide array of others that include jar, tar, cpio, war, rar, 7z and apk.
In their report, the Snyk researchers outlined that this vulnerability can result in situations where attackers can unzip files outside the normal unzip path and subsequently overwrite sensitive files.
The Snyk team further explained that the vulnerability is a type of directory traversal which can be exploited through the extraction of files from an archive.
The basis of this directory traversal vulnerability is that attackers can gain access to parts of the file system outside the target folder where they should stay.
Attackers can subsequently overwrite files and either wait for the user or system to remotely command them, consequently achieving command execution on the machine of the victim.
Zip Slip can also result in damage by overwriting sensitive resources and configuration files, and may be exploited on both user servers and machines.
How Widespread Is Zip Slip?
As aforementioned, the vulnerability can affect multiple archive formats and has already been identified in numerous repositories across various ecosystems and libraries which thousands of applications are dependent on.
It is particularly predominant in Java, as the researchers outlined, primarily because of the lack of a central library that offers high-level processing of archive files; therefore, the developers had to either establish their code or consequently utilize shared codes.
The Snyk research team has already compiled a list of projects and libraries affected, and the positive thing is that numerous project owners have already fixed the problem.
The security firm says the team has spent the last several months to ascertain that numerous applications, frameworks and libraries have been informed of the vulnerability where they found these provisions susceptible.
In extension, the firm also indicated that as a result, there are numerous significant projects and libraries which have been fixed already. Nonetheless, this does not mean that all should switch to the modern version of these particular libraries.
The security firm has also gone further ahead to share examples of directory traversal validation codes and vulnerable codes in the several ecosystems.
This is so that developers can make use of them to verify the vulnerability of their archive processing code and consequently fix the issue. They also posted a demo video to show how the vulnerability works.
Until now, there is no mention of any incident where the attackers have or are exploiting the vulnerability, though there are several tools which can be utilized in facilitating an attack.
The Snyk team noted that identifying a system which was already compromised is quite tricky since the outcome of the exploit is merely files on the network.
Reportedly, tools used in detecting exploits can recognize attacks as they occur by inspecting zip as well as other archive files imported into the network from diverse sources. They can also check all files registered in them and flag all files denoting to external folders.
Lastly, the Snyk researchers outline that it is important to note that archive files can either be downloaded from within or uploaded to the application, so it is important to monitor both traffic sources.