Saturday , November 17 2018
Home / Security News / “Zip Slip” A Critical Vulnerability Exploited in Zip
“Zip Slip” A Critical Vulnerability Exploited in Zip

“Zip Slip” A Critical Vulnerability Exploited in Zip

Zip Vulnerability: A critical vulnerability has been discovered by the security researchers which are impacting many open source coding libraries.

The vulnerability is discovered in the Synk, the “Zip Slip” this vulnerability has occurred due to the way coders implement the libraries and plug-ins when decompressing an archive file.

Many of the archive formats such as the tar, jar, war, cpio, apk and 7z are affected by this bug. Basically this piece of vulnerability is causing files to unzip in an unintended location.

The Zip Slip can cause an arbitrary file overwrite and discovery traversal. The attacker can easily unzip the files outside the specific location which in some cases might overwrite sensitive files of an operating system which can basically allow a buffer overflow or crash the critical programs.

“The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking,” The Synk team said today in security advisory.

The Synk team have specified some libraries, which are basically affected by the Zip Slip on GitHub. Libraries which are written in programming languages such as JavaScript, Python, Ruby, .NET, GoLang and Groovy. The problem has affected the Java Eco-System.

This vulnerability has been spread on a wide variety platforms such as the code shared in StackOverFlow.

The majority of the apps which are written in Java may face the Zip Slip without developers even knowing.

The Synk team has successfully published a technical paper showing how the Zip Slip bug affects the whole system.

These researchers have also published a proof-of-concept Zip Slip archive where the developers have access to test their apps against those vulnerabilities.

Finally even they have released a video demo of the vulnerability.

About Jahanzaib Khan

Jahanzaib Khan is the CEO of JahaSoft.Pk A Web Development, Digital Marketing & Web Hosting Company Based in Pakistan. https://www.JahaSoft.pk

Check Also

Stuxnet Returns, Striking Iran with New Variant

Stuxnet Returns, Striking Iran with New Variant

The most critical infrastructure of Iran and its strategic networks were attached with decade old …

Leave a Reply

Your email address will not be published. Required fields are marked *