Security researchers at British software firm Snyk have revealed details of a critical vulnerability that affects thousands of projects across many ecosystems and can be exploited by attackers to achieve code execution on the target systems. Dubbed "Zip Slip," the issue is an arbitrary file overwrite vulnerability that triggers from a directory traversal attack while extracting files from an archive and affects numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z.
Thousands of projects written in various programming languages including JavaScript, Ruby, Java, .NET and Go—from Google, Oracle, IBM, Apache, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Eclipse, OWASP, ElasticSearch, JetBrains and more—contained vulnerable codes and libraries.
Went undetected for years, the vulnerability can be exploited using a specially crafted archive file that holds directory traversal filenames, which if extracted by any vulnerable code or a library, would allow attackers to unarchive malicious files outside of the folder where it should reside.
Using this Zip Slip attack an attacker can even overwrite legitimate executable files or configuration files for an application to trick the targeted system or the user into running it, "thus achieving remote command execution on the victim's machine,"