Zip Slip (Exploit Kit) – Malware

Overview

Zip Slip is a dangerous class of vulnerabilities that exploits weaknesses in how applications handle compressed archive files, such as ZIP or TAR files. At its core, a Zip Slip vulnerability leverages path traversal techniques to enable arbitrary file writes on the targeted system. This type of attack can lead to severe consequences, including remote code execution (RCE), by placing malicious files in critical directories. The vulnerability arises when file paths within an archive are not properly validated during extraction, allowing attackers to craft filenames that traverse directories and overwrite or plant files in unintended locations.

The history of Zip Slip vulnerabilities dates back several decades, with its origins rooted in early bulletin board systems (BBS) and command-line tools used for file compression. The concept of exploiting directory traversal through archive extraction was first documented in the early 1990s and has since evolved, finding relevance in modern web applications. Despite its age, Zip Slip remains a potent threat due to the widespread use of compressed archives in software distribution, DevOps pipelines, and package managers.

One of the key reasons Zip Slip is particularly dangerous is its ability to bypass traditional security mechanisms. Since the vulnerability targets the file extraction process, which is often a trusted operation, malicious files can be executed or placed in sensitive areas without triggering security alerts. The attack’s effectiveness depends on the application’s permissions and the context in which the files are extracted, but when successful, it can provide attackers with a foothold to escalate privileges, exfiltrate data, or take control of the entire system.

Targets

Information

How they operate

The vulnerability arises from the way many libraries and applications process file paths during extraction. Typically, when an application extracts an archive, it trusts the paths specified within the archive’s metadata. If the application does not properly sanitize these paths, it is susceptible to directory traversal attacks. For instance, a malicious archive could include a file path like ../../../../etc/passwd, which, when extracted, would overwrite the system’s password file if the application is running with sufficient privileges. The impact of this vulnerability is magnified by the widespread use of libraries and frameworks that automate archive extraction, many of which were found to be vulnerable to Zip Slip.

To exploit Zip Slip, an attacker typically delivers a specially crafted archive to the target system, which is then extracted by the vulnerable application. The archive might be disguised as a legitimate update package, a backup file, or any other common archive file. Upon extraction, the malicious file paths are processed by the application, leading to the unintended file overwrite. If the attacker can control the contents and paths within the archive, they can precisely target files for overwriting. This could result in the installation of backdoors, the alteration of configuration files to weaken security, or the disruption of critical services.

Mitigating Zip Slip requires developers to adopt secure coding practices, particularly around file path handling during archive extraction. Key defenses include validating and sanitizing file paths before extraction, ensuring that no directory traversal sequences are present, and restricting file writes to within a predefined directory. Additionally, updating libraries and frameworks to patched versions that include protections against Zip Slip is crucial in preventing exploitation. Understanding the mechanics of Zip Slip is essential for developers and security professionals, as it highlights the dangers of unchecked file operations and the importance of secure programming practices.

MITRE Tactics and Techniques

Initial Access (TA0001)

Exploit Public-Facing Application (T1190)
Zip Slip can be leveraged as an initial access vector when attackers use a public-facing application that handles file uploads. By exploiting this vulnerability, attackers can gain a foothold within a network by uploading a maliciously crafted archive that triggers the vulnerability during extraction.

Execution (TA0002)

System Binary Proxy Execution (T1218)
Once the Zip Slip vulnerability is exploited, attackers can execute arbitrary code by placing malicious files in system directories or overwriting existing binaries. This can lead to unauthorized command execution.

Persistence (TA0003)

Create or Modify System Process (T1543)
Attackers may achieve persistence by using Zip Slip to write files that create or modify system processes. For example, placing a malicious script in a startup folder or overwriting legitimate services with their payload can allow them to maintain access.

Privilege Escalation (TA0004)

Path Interception by Unquoted Path (T1574.007)
Zip Slip can lead to privilege escalation if the attacker overwrites or places a malicious file in a directory that is later executed by a higher-privileged process. This technique often exploits the lack of sanitization in file paths during extraction.

Defense Evasion (TA0005)

Masquerading (T1036)
Zip Slip can be used to evade defenses by crafting filenames that appear legitimate or are hidden in subdirectories. The attacker may leverage this to avoid detection and ensure that the malicious payload is not flagged by security software.

Impact (TA0040)

Data Destruction (T1485)
If an attacker uses Zip Slip to overwrite critical files or place destructive scripts, it can lead to data destruction, affecting the integrity and availability of the system. This can have a significant impact, especially in environments that rely on the compromised data for operations.

References:

• Zip Slip meets Artifactory: A Bug Bounty Story