We’re posting some information on the newly announced Zip Slip vulnerability. Expect more information later today, but for now we wanted to post some information so you aren’t blindsided when management inevitably asks. The link to the vulnerability announcement is here.
The Zip Slip vulnerability is a directory traversal vulnerability that is found in multiple libraries used by numerous applications. Successful exploitation of this vulnerability can result in the execution of arbitrary code as well as website defacement and other impacts.
The full number of vulnerable applications is not yet known since the number of vulnerable libraries is fairly large and an unknown number of applications (particularly custom intranet deployed applications) are likely to use these vulnerable libraries. Updating libraries as they are patched is an obvious measure, but since the vulnerability has been around for quite a while, the number of libraries built from vulnerable code bases is likely very large.
If your applications allow users (particularly unauthenticated users) to upload archive files (including, but not limited to zip), you should be particularly concerned about this vulnerability. If you have no such applications in your environment, then your risk of exploitation is much lower. An additional exploit vector to consider are email gateways (spam and DLP filters) which may rely on vulnerable libraries. There are certainly other attack surfaces for Zip Slip, but the two primary attack surfaces we see at Rendition Infosec are:
- Web applications that allow users (particularly unauthenticated users) to upload compressed files that are processed by the server
- Mail gateways (e.g. spam, DLP, etc.) servers that process compressed files from unknown senders
Again, expect more information later today from Rendition Infosce on Zip Slip.
Edit: here’s a link to download our quickly developed script (Zip Traction) for checking archives for Zip Slip payloads: