Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Medium severity - Arbitrary File Write via Archive Extraction (Zip Slip) vulnerability in decompress-tar (package.json) #66

Open
github-actions bot opened this issue Apr 4, 2023 · 0 comments
Open

Medium severity - Arbitrary File Write via Archive Extraction (Zip Slip) vulnerability in decompress-tar (package.json) #66

github-actions bot opened this issue Apr 4, 2023 · 0 comments

Comments

@github-actions
Copy link

github-actions bot commented Apr 4, 2023

  • Package Manager: npm
  • Vulnerable module: decompress-tar
  • Introduced through: juice-shop@12.3.0, download@8.0.0 and others

Detailed paths

  • Introduced through: juice-shop@12.3.0 › download@8.0.0 › decompress@4.2.1 › decompress-tar@4.1.1
  • Introduced through: juice-shop@12.3.0 › download@8.0.0 › decompress@4.2.1 › decompress-tarbz2@4.1.1 › decompress-tar@4.1.1
  • Introduced through: juice-shop@12.3.0 › download@8.0.0 › decompress@4.2.1 › decompress-targz@4.1.1 › decompress-tar@4.1.1

Overview

decompress-tar is a tar plugin for decompress.
Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip). It is possible to bypass the security measures provided by decompress and conduct ZIP path traversal through symlinks.

PoC

const decompress = require('decompress');

decompress('slip.tar.gz', 'dist').then(files => {
	console.log('done!');
});

Details

It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a "../../file.exe" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicous file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:


+2018-04-15 22:04:29 ..... 19 19 good.txt

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

Remediation

There is no fixed version for decompress-tar.

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants