Zip Slip is a widespread critical archive decompression vulnerability that allows attackers to write arbitrary files to the system, which usually leads to remote execution of commands. It was discovered and disclosed by the Snyk Security team in anticipation of a public disclosure on June 5, 2018 and affected thousands of projects, including HP, Amazon, Apache, Pivotal and many others.
Further information on the technical details of Zip Slip can be found at website.
Since then, most of the frameworks and languages in which these vulnerabilities were discovered have been fixed, and the vulnerability has not been heard for a long time.
The author surprised not so much with the vulnerability as with the technique of exploiting this vulnerability using the Race Condition.
Race Condition (note, Race condition), also competition is a design error of a multi-threaded system or application, in which the operation of the system or application depends on the order in which parts of the code are executed.
For excellent examples of exploiting such a vulnerability, see the link.
A detailed description of the vulnerability is given in issues to the project repository.
As for the features of operation – this is what the author writes:
Note that this will not work “out of the box” with .zip archives, since yauzl will throw an exception if the file name contains “..”.
However, since this package also supports symbolic links, we can use them instead to circumvent this limitation.
But simply adding a symlink for our purpose will not help. Since archive files are unpacked asynchronously, we will be in a race condition between unpacking a symbolic link and the file to which it refers.
Creating a directory, and inside it creating a symbolic link to its parent directory, we continue to create a sim. links to / and the file with the name using the loop structure of all sim. object references. As a result, we get something like:
ln -s ../ generic_dir/symlink_to_parent_dir
ln -s / symlink_to_root
Adding this to the archive allows us to always win the race!
Now try to imagine how it works! 😉
The identifier was reserved for this vulnerability: CVE-2020-12265.
Posted by Egor Bogomolov, Head of Information Security Servises, HackerU Russia