Attackers can hide malware in archive files with Zip Slip flaw; here’s how to fight it

Автор: | 07.06.2018

A recently disclosed vulnerability in how open source software libraries handle archive files reveals that it only takes a malicious archive and a lack of validation checking to give total control of a victim machine to an attacker.

Dubbed Zip Slip, the vulnerability was discovered by researchers from software firm Snyk, and it affects multiple ecosystems and thousands of projects, including those from major companies like HP and Amazon.

«Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution,» the Snyk team said. It has been found in JavaScript, Ruby, .NET, and Go and is especially prevalent in Java because there is no central library for handling archive files.

Thelist of affected projects published on GitHub by Snyk is extensive, and anyone who uses open source libraries should take a look to be sure they aren’t vulnerable.

How Zip Slip works

At its core Zip Slip is fairly simple to understand: It’s a directory traversal attack that tries to sneak code into a hidden location when the file is decompressed.

Directory traversal attacks rely on the use of «..» instead of particular directory names in code to move files to the root directory of a machine. If the decompression software uses validation checking it won’t allow traversal attacks and will stop Zip Slip.

The problem is that many open source software libraries don’t validate directories when decompressing, allowing Zip Slip to freely drop off its malicious payload.

Once decompressed Zip Slip’s malicious code can «overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine,» Snyk said.

Defending against Zip Slip

Snyk gives a few suggestions for protecting yourself against Zip Slip, and the process is fairly simple.

First off, check your projects for vulnerable code. Snyk has provided snippets of vulnerable code for Java, Groovy, JavaScript, .NET, Go, Ruby, and Python.

SEE: IT leader’s guide to making DevOps work (Tech Pro Research)

If you’ve determined you’re vulnerable you can find links to updated versions by following the GitHub link to the Zip Slip project given above. After that you should be all set—as long as your code is validating directories when unzipping archives, you’re protected.

Some software developers may have hundreds of libraries to search through, making looking for code snippets untenable. For those people Snyk recommends using a dependency vulnerability scanning tool to search for vulnerable code as part of your development cycle.

The fix for this problem is simple, and the alternative is potentially devastating. Check your code today to make sure Zip Slip doesn’t affect your projects.

The big takeaways for tech leaders:

  • A new vulnerability affecting open source software libraries could give remote execution capabilities to an attacker, enabling them to sneak a malicious archive into a software project.
  • The problem exists across multiple ecosystems but is simple to identify and fix. Open source library users are advised to secure their systems immediately.

Also see

malware.jpg

Image: iStock/RGBAlpha

Source

Добавить комментарий