Zip Slip is a critical security vulnerability that affects archive extraction libraries. It occurs when an attacker creates a malicious archive (e.g., a zip file) that contains file paths designed to "slip" out of the target directory during extraction. The malicious archive typically contains specially crafted paths like ../../../../../etc/passwd, which use directory traversal characters (../) to escape the intended extraction directory.
This flaw is dangerous because it allows an attacker to write files outside the intended extraction folder, potentially overwriting system files or executing arbitrary code if critical files are modified.
The attack is enabled due to poor handling of file paths during the archive extraction process. In a vulnerable application, if the file paths are not properly validated, the extraction can create or overwrite files anywhere on the filesystem.
Let’s break it down with a quick example:
- An attacker creates a zip file with a file path like
../../../../../../../../tmp/malicious_file.sh. - When extracted, the zip file is intended to create a harmless file in the extraction folder.
- However, the
../../pattern traverses up the directory tree, and the resulting path ends up in/tmp/malicious_file.sh. - If a script or system utility executes this file, the attacker can gain control over the system.
An attacker targets a server that extracts zip files uploaded by users. They craft a zip file containing a path like ../../../etc/cron.d/malicious_cron. Upon extraction, the malicious file is written to the /etc/cron.d/ directory, setting up a scheduled task that grants the attacker a reverse shell at midnight.
A vulnerable system extracts zip files as part of a CI/CD process. An attacker uploads a zip containing ../../../opt/service/start.sh, which overwrites the existing startup script. The next time the service restarts, the attacker's payload is executed, leading to remote code execution (RCE).
An archive contains ../../../../../../home/user/.ssh/authorized_keys. When extracted, the file is placed in the target’s SSH configuration directory, giving the attacker SSH access to the victim's machine.
- Web Applications: Allowing users to upload zip files without proper validation.
- CI/CD Pipelines: Automated systems that unpack files for build processes.
- Plugin & Theme Installers: Unpacking third-party extensions and assets without sanitizing paths.
- Backup Systems: Systems that restore from compressed archives without verifying paths.
The tool provided here is for educational purposes only and should be used solely in controlled environments where you have explicit permission to test. Testing on systems without authorization can have serious legal implications.
If you’re developing or maintaining software that handles zip file extractions, make sure to validate file paths during extraction and sanitize any path inputs to prevent attackers from exploiting this vulnerability.
- Sanitize Paths: Always resolve paths to their absolute values before extraction and ensure that they remain within the target directory.
- Use Security Libraries: Use libraries or functions that explicitly handle file paths and directory traversal issues.
- Reject Suspicious Paths: Reject any file paths containing
..or absolute path patterns.
-
Install Rust: Make sure you have Rust installed on your system. If not, install it via:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
-
Clone the Repository:
git clone https://github.com/copyleftdev/zslip.git cd zip_slip_demo -
Compile the Project:
cargo build
To generate a malicious zip file, run:
cargo run -- --path='../../../../../tmp/malicious_file.txt' --data='This is a malicious file!' malicious.zip- --path: The relative path you want to include in the zip file.
- --data: The content of the file.
- malicious.zip: The output zip file.
For more details on common directory paths across different operating systems (Linux, Windows, and macOS), refer to the PATHS file. This document contains a comprehensive list of critical system paths, user-specific directories, logs, and configuration file locations for each OS. Understanding these paths is crucial for both offense and defense, ensuring you know exactly where files may be written or modified.
- Zip Slip is a serious vulnerability that can lead to arbitrary file writes or code execution.
- Proper path validation and sanitization is key to defending against this exploit.
- Use the tool in a controlled environment to understand and mitigate the risks.
If you have any questions or want to learn more, feel free to reach out! And remember: stay safe, stay legal! 🛡️