British software company Snyk on Tuesday disclosed a critical vulnerability dubbed “Zip Slip,” having identified an issue that affects projects from the likes of Google, Amazon, Twitter, Alibaba, IBM, Oracle, and LinkedIn. The flaw has gone undetected for years and is present in numerous instances of code that’s exposing millions of people to risk. The vulnerability can be exploited with a custom-built archive that overwrites files after being extracted, potentially hijacking entire systems.
The arbitrary file overwrite flaw is particularly problematic in Java as the object-oriented programming language lacks a centralized library capable of handling archived files. That state of affairs is a large part of the reason why the vulnerability went unresolved for years, having ended up being shared across numerous developer communities. The oversight can be exploited with a custom archive that contains path traversal filenames chained together to exploit any given extraction directory in a manner that sees malicious data extracted outside of a user-selected target folder, Snyk explains, adding that the vulnerability affects the vast majority of the world’s most popular archive formats such as 7z, tar, war, xz, cpio, and bzip2. Files that can break out of their intended extraction directory can affect both servers and client devices, overwriting sensitive files with the goal of compromising systems. As a result, Zip Slip can serve as a backdoor to arbitrary code execution flaws, possibly an even more problematic issue.
Zip Slip can affect any given project either through a third-party library or native code; refer to the banner below for a complete list of all vulnerable libraries and projects, some of which have already been fixed over the last two months since Snyk started privately disclosing the vulnerability to exposed parties. Ruby and Python are the only two ecosystems which Snyk vetted for Zip Slip but couldn’t identify any weak points.
Zip Slip Report (GitHub)