Zip Slip Returns to Node.js

Not so long ago, in 2018, a well-forgotten new type of attack thundered – Zip Slip.

Zip Slip is a widespread critical archive decompression vulnerability that allows attackers to write arbitrary files to the system, which usually leads to remote execution of commands. It was discovered and disclosed by the Snyk Security team in anticipation of a public disclosure on June 5, 2018 and affected thousands of projects, including HP, Amazon, Apache, Pivotal and many others.

Further information on the technical details of Zip Slip can be found at website.

Since then, most of the frameworks and languages ​​in which these vulnerabilities were discovered have been fixed, and the vulnerability has not been heard for a long time.

But more recently, a new case has appeared no less interesting than the previous ones.
Zip Slip in the popular library for Node.js is “decompress”.

The author surprised not so much with the vulnerability as with the technique of exploiting this vulnerability using the Race Condition.

Race Condition (note, Race condition), also competition is a design error of a multi-threaded system or application, in which the operation of the system or application depends on the order in which parts of the code are executed.

For excellent examples of exploiting such a vulnerability, see the link.

A detailed description of the vulnerability is given in issues to the project repository.

As for the features of operation – this is what the author writes:

Note that this will not work “out of the box” with .zip archives, since yauzl will throw an exception if the file name contains “..”.

However, since this package also supports symbolic links, we can use them instead to circumvent this limitation.

But simply adding a symlink for our purpose will not help. Since archive files are unpacked asynchronously, we will be in a race condition between unpacking a symbolic link and the file to which it refers.

Creating a directory, and inside it creating a symbolic link to its parent directory, we continue to create a sim. links to / and the file with the name using the loop structure of all sim. object references. As a result, we get something like:

mkdir generic_dir
ln -s ../ generic_dir/symlink_to_parent_dir
ln -s / symlink_to_root
touch generic_dir/symlink_to_parent_dir/generic_dir/symlink_to_parent_dir/[...]/symlink_to_root/tmp/slipped_zip.txt

Adding this to the archive allows us to always win the race!

Now try to imagine how it works! 😉

The identifier was reserved for this vulnerability: CVE-2020-12265.

Posted by Egor Bogomolov, Head of Information Security Servises, HackerU Russia

Similar Posts

Leave a Reply