Discord Server Red Security Twitter Donation to Red Security Red Security Youtube Channel Red Security Tumblr Profile
Login or Register to Hide ads and Accessing all features on the forum

News 

"Zip-Slip" Critical Vulnerability in Zip

0 Replies, 1342 Views

A critical vulnerability was exploited in the last few days by security researchers that spans multiple coding libraries. The exploit was discovered within "Synk", the "Zip-Slip" as it is being called, occurred because of how users implemented libraries in plugins when they decompress an archived file. A lot of Archive formats are affected by this exploit, including tar, jar, war, cpio, apk, and 7z.

This specific bug is causing files to unzip in unattended locations. It can cause an arbitrary file overwrite and directory traversal. An attacker can unzip files outside of the intended location which is in some cases might overwrite sensitive files of an operation system which could allow the attacker to utilize a buffer overflow attack or crash critical programs.

"The two parts to this required for this exploit to work is a malicious archive and extraction code that does not perform validation checking" as reported by the Synk team a day or so ago.

The same team has also reported that some libraries attached to GitHub, these ones written in programming languages such as JavaScript, Python, Ruby, .NET, GoLang and Groovy. The bug mainly affects the Java ecosystem.

The Synk team has published a technical paper going over the the bug and how it affects systems.

---Sh7nk-Z0id
01001001 00100000 01000001 01001101 00100000 01011010 01001111 01000100 01001001 01000001 01000011

Possibly Related Threads…
Thread Author Replies Views Last Post
Star News Update Windows 10 to patch critical vulnerability in Microsoft store games News 0 1,666 11-06-2020, 04:22 AM
Last Post: News
Star News IoT Vulnerability Disclosure Platform Launched News 0 1,794 10-20-2020, 09:58 AM
Last Post: News
Star News APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elect News 0 1,767 10-10-2020, 07:06 AM
Last Post: News
Star News Zerologon Vulnerability Used in APT Attacks News 0 1,627 10-07-2020, 11:12 AM
Last Post: News
Star News Vulnerability Disclosure Programs See Signups & Payouts Surge News 0 1,454 09-23-2020, 12:57 PM
Last Post: News
Star News Can Vulnerability Scanning Replace Penetration Testing? News 0 1,549 08-30-2020, 02:08 AM
Last Post: News
Star News Vulnerability Volume Poised to Overwhelm Infosec Teams News 0 1,554 08-28-2020, 09:14 AM
Last Post: News
Star News Vulnerability Prioritization: Are You Getting It Right? News 0 2,211 08-10-2020, 07:33 PM
Last Post: News
Smile News Critical Vulnerability In Bisq Crypto Exchange Exploited For Some Users Mr.Kurd 0 1,693 04-10-2020, 02:46 PM
Last Post: Mr.Kurd
Sad News Critical RCE Bug in WordPress Plugin Let Hackers Gain Admin Access on 200,000 Website Mr.Kurd 0 1,499 04-01-2020, 11:19 AM
Last Post: Mr.Kurd



Users browsing this thread: 1 Guest(s)