Critical Flaw in Zip Libraries Let Attackers Abuse ZIP archives

According to recent reports, a number of vulnerabilities have been discovered in widely used ZIP libraries of Swift and Flutter.

These packages are being utilized by numerous developers and applications, which significantly increases the potential attack surface.

Developers use ZIP packages to create a bundle of libraries, components, resources, and other app files used for the application’s functionality. A malicious ZIP package can severely impact the application and compromise its security.

Structure of a ZIP file

A ZIP file has four major parts that construct its structure. These parts have different functions, from the ZIP archive’s file name to the central directory’s access. The parts are,

• Local File Header – Contains essential information such as the file’s name, compression method, size, and other attributes.
• Data Descriptor – Stores CRC 32 (Cyclic redundancy check 32) checksum of the uncompressed data, the compressed and uncompressed data.
• Central Directory File Header – Contains metadata of each file within the archive.
• End of Central Directory Record (EOCD) – This is the section at the end of a ZIP file, which also marks the end of the central directory.

ZIP file Vulnerability types & CVE(s)

ZIP files have four most common types of vulnerabilities,

• ZIP Path Traversal – When the application has insufficient validation of zip entries’ file names.
• ZIP file name spoofing – If the parser reads only the Local file header and proceeds to extract the file in the Central Directory Entry.
• ZIP symlink path traversal – ZIP symlinks point to files outside the extraction directory, which could lead to overwriting sensitive data or code execution.
• ZIP Bomb – a ZIP file contains enormous amounts of compressed data, which can cause Denial-of-Service (DoS) when extracted.

The package of analyzed ZIP files includes Archive, Flutter_archive, ZIPFoundation, ZIP, and ZIPArchive (SSZIPArchive), which resulted in the discovery of four major vulnerabilities.

Package: Archive

ZIP filename spoofing (CVE-2023-39137)

The archive package parses only the filename from the Local File header, leading to an inconsistency. Threat actors can use this vulnerability to craft a malicious ZIP file that has different filenames in the Local File header and Central Directory Entry.

ZIP symlink path traversal (CVE-2023-39139)

It was also found that this package also links symlinks back after extraction. In addition to that, the links can also point to any path outside of the directory.

Package: ZIPFoundation

ZIP symlink path traversal (CVE-2023-39138)

ZIPfoundation package passes the path from the zip entry directory to the fileManager.createSymbolicLink without proper check, leading to symlink pointing outside the extraction directory.

Package: Zip

ZIP path traversal (CVE-2023-39135)

The zip package uses the unzipfile function to extract zip files. However, the pathString from the zip entry is directly sent to the destination without proper sanitization, which can be abused and perform a path traversal.

Package: ZIPArchive (SSZIPArchive)

Denial of Service (CVE-2023-39136)

ZIPArchive has implemented proper sanitization for checking filenames by prepending them with file:\\\ prefix to the zip entry path. However, this can be bypassed if the filenames are presented with /.. Prefix resulting in the sanitization becoming file:\\ with 7 characters, which normally requires 8. This leads to a Denial-of-Service (DoS) attack on the application.

The Summary of the vulnerabilities discovered depending on their package is given below.

These vulnerabilities were reported to the concerned authors, and developers are recommended to stay up-to-date about the security updates to prevent malicious actors.

Source: https://cybersecuritynews.com/critical-flaw-zip-libraries/