A critical vulnerability has been disclosed by security researchers impacting many open source coding libraries. The researchers discovered the vulnerability within Synk, the “Zip Slip” the vulnerability occurred because of the way coders implement libraries and plugins when decompressing an archived file.
Many archive formats such as tar, jar, war, cpio, apk and 7z are affected by this bug. This specific vulnerability is causing files to unzip in an unintended location. Zip Slip can cause an arbitrary file overwrite and directory traversal. An attacker can unzip files outside of the specified location which in some cases might overwrite sensitive files of an operating system which can potentially allow for a buffer overflow or crash critical programs.
“The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking,” the Synk team said today in a security advisory.
The vulnerability is widespread within many platforms such as code shared in StackOverflow. Many apps that are written in Java may be vulnerable to Zip Slip without developers even knowing. The Synk team have published a technical paper showing how the Zip Slip bug affects the systems. The Researchers have also published a proof-of-concept Zip Slip archive where developers can test their apps for the vulnerabilities. Finally they have even provided a demo video of the vulnerability.
Latest posts by Harikrishna Mekala (see all)
- The MyCloud Auth Vulnerability Fixed by Western Digital with a Hotfix - September 24, 2018
- Virobot Ransomware Logs Keystrokes and Adds PC to Spam Botnet - September 24, 2018
- Freelancers Being Targeted With Malware Disguised as Job Offers - September 23, 2018