Zip Slip: a sneaky way to install malware using zip and other packing utilities

Packing files into archives like zips, tars, jars, wars, cpios, apks, rars and 7zs is a common way to keep important files and filesystem structures together when sharing them; it's also a source of potentially dangerous malware attacks.

In a new paper the security research organization Snyk details an attack they call Zip Slip, which exploits a bug in thousands of archiving and de-archiving utilities, including ones from HP, Amazon, Apache and Pivotal.

Zip Slip is a "directory traversal" attack, which exploits lax checking during unpacking, allowing the attacker to craft an archive that drops files in arbitrary directories anywhere on your hard drive, even overwriting key components.

The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many others. It has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java. Of course, this type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries.

Zip Slip Vulnerability [Snyk]

(via /.)