Path Traversal in konloch/bytecode-viewer

Valid

Reported on

Jan 5th 2022


Description

the.bytecode.club:Bytecode-Viewer is a lightweight user-friendly Java/Android Bytecode Viewer, Decompiler & More.

Affected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction (AKA "Zip Slip").

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The Zip Slip vulnerability can affect numerous archive formats, including zip, jar, tar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.

Proof of Concept

// Zipslip.class
import java.io.IOException;

import the.bytecode.club.bytecodeviewer.util.*;

public class Zipslip {

    public static void main(String[] args) {
        
        try {
            ZipUtils.unzipFilesToPath("C:\\evil.zip", "D:\\test\\test");  //evil.zip contains ../../evil.exe
        } catch (IOException e) {
            e.printStackTrace();
        }

    }

}

Impact

The impact of a Zip Slip vulnerability would allow an attacker to create or overwrite existing files on the filesystem. In the context of a web application, a web shell could be placed within the application directory to achieve code execution.

We are processing your report and will contact the konloch/bytecode-viewer team within 24 hours. 23 days ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 22 days ago
We have contacted a member of the konloch/bytecode-viewer team and are waiting to hear back 21 days ago
konloch
21 days ago

Maintainer


Hi, thank you for this report, I will let the collaborators know and we will look into this.

We have sent a follow up to the konloch/bytecode-viewer team. We will try again in 7 days. 18 days ago
konloch validated this vulnerability 17 days ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
ready-research
17 days ago

Researcher


@konloch Thanks for the quick response and fix. Please confirm the fix, to disclose this publicly.

konloch confirmed that a fix has been merged on c968e9 17 days ago
The fix bounty has been dropped
konloch
17 days ago

Maintainer


@ready-research thank you again for the report!

ready-research
17 days ago

Researcher


@admin Can I get a CVE for this?

@konloch Are you okay to assign a CVE for this issue? Which will alert the users of your package about this vulnerability. Huntr will assign a CVE if you agrees.

Jamie Slome
16 days ago

Admin


Once we get @maintainer approval, we are more than happy to assign a CVE here.

konloch
16 days ago

Maintainer


Hey everyone, I opened a security advisory on Github and they have been able to get a CVE for this issue - CVE-2022-21675

Here is the Github Security Advisory - https://github.com/Konloch/bytecode-viewer/security/advisories/GHSA-3wq9-j4fc-4wmc

Thank you again for this report!

Jamie Slome
15 days ago

Admin


@konlock - great!

For your reference, we can arrange the creation and publishing of a CVE on your behalf in the future, if you prefer.

Great work all! 🎊