Discord Server Red Security Twitter Donation to Red Security Red Security Youtube Channel Red Security Tumblr Profile
Windscribe
Login or Register to Hide ads and Accessing all features on the forum
Thread Rating:
  • 4 Vote(s) - 2.25 Average
  • 1
  • 2
  • 3
  • 4
  • 5
News "Zip-Slip" Critical Vulnerability in Zip
#1
A critical vulnerability was exploited in the last few days by security researchers that spans multiple coding libraries. The exploit was discovered within "Synk", the "Zip-Slip" as it is being called, occurred because of how users implemented libraries in plugins when they decompress an archived file. A lot of Archive formats are affected by this exploit, including tar, jar, war, cpio, apk, and 7z.

This specific bug is causing files to unzip in unattended locations. It can cause an arbitrary file overwrite and directory traversal. An attacker can unzip files outside of the intended location which is in some cases might overwrite sensitive files of an operation system which could allow the attacker to utilize a buffer overflow attack or crash critical programs.

"The two parts to this required for this exploit to work is a malicious archive and extraction code that does not perform validation checking" as reported by the Synk team a day or so ago.

The same team has also reported that some libraries attached to GitHub, these ones written in programming languages such as JavaScript, Python, Ruby, .NET, GoLang and Groovy. The bug mainly affects the Java ecosystem.

The Synk team has published a technical paper going over the the bug and how it affects systems.

---Sh7nk-Z0id
01001001 00100000 01000001 01001101 00100000 01011010 01001111 01000100 01001001 01000001 01000011
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
Star News Update Windows 10 to patch critical vulnerability in Microsoft store games News 0 375 11-06-2020, 04:22 AM
Last Post: News
Star News IoT Vulnerability Disclosure Platform Launched News 0 405 10-20-2020, 09:58 AM
Last Post: News
Star News APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elect News 0 410 10-10-2020, 07:06 AM
Last Post: News
Star News Zerologon Vulnerability Used in APT Attacks News 0 427 10-07-2020, 11:12 AM
Last Post: News
Star News Vulnerability Disclosure Programs See Signups & Payouts Surge News 0 410 09-23-2020, 12:57 PM
Last Post: News
Star News Can Vulnerability Scanning Replace Penetration Testing? News 0 494 08-30-2020, 02:08 AM
Last Post: News
Star News Vulnerability Volume Poised to Overwhelm Infosec Teams News 0 467 08-28-2020, 09:14 AM
Last Post: News
Star News Vulnerability Prioritization: Are You Getting It Right? News 0 1,171 08-10-2020, 07:33 PM
Last Post: News
Smile News Critical Vulnerability In Bisq Crypto Exchange Exploited For Some Users Mr.Kurd 0 700 04-10-2020, 02:46 PM
Last Post: Mr.Kurd
Sad News Critical RCE Bug in WordPress Plugin Let Hackers Gain Admin Access on 200,000 Website Mr.Kurd 0 620 04-01-2020, 11:19 AM
Last Post: Mr.Kurd



Users browsing this thread: 1 Guest(s)