Security researchers at British software firm Snyk have revealed details of a critical vulnerability that affects thousands of projects across many ecosystems and can be exploited by attackers to achieve code execution on the target systems.

Dubbed "Zip Slip," the issue is an arbitrary file overwrite vulnerability that triggers from a directory traversal attack while extracting files from an archive and affects numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

Thousands of projects written in various programming languages including JavaScript, Ruby, Java, .NET and Go—from Google, Oracle, IBM, Apache, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Eclipse, OWASP, ElasticSearch, JetBrains and more—contained vulnerable codes and libraries.

Went undetected for years, the vulnerability can be exploited using a specially crafted archive file that holds directory traversal filenames, which if extracted by any vulnerable code or a library, would allow attackers to unarchive malicious files outside of the folder where it should reside.
Using this Zip Slip attack an attacker can even overwrite legitimate executable files or configuration files for an application to trick the targeted system or the user into running it, "thus achieving remote command execution on the victim's machine," the company explains.
"The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers."
"The contents of this zip file have to be handcrafted. Archive creation tools don't typically allow users to add files with these paths, despite the zip specification allowing it. However, with the right tools, it's easy to create files with these paths."
The company has also published proof-of-concept Zip Slip archives and released a video demonstration, showing how attackers can exploit the Zip Slip vulnerability.

Since April, the company started privately disclosing the Zip Slip vulnerability to all vulnerable libraries and projects maintainers.

A list of all affected libraries and projects has also been posted on Snyk's GitHub repository, some of which have already fixed the issue with the release of updated versions.

Moreover, you can also read Snyk's blog post to learn more about vulnerable codes in different ecosystems through example snippets.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.