Path Traversal in konloch/bytecode-viewer

Valid

Reported on

Jan 5th 2022

Description

the.bytecode.club:Bytecode-Viewer is a lightweight user-friendly Java/Android Bytecode Viewer, Decompiler & More.

Affected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction (AKA "Zip Slip").

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The Zip Slip vulnerability can affect numerous archive formats, including zip, jar, tar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.

Proof of Concept

// Zipslip.class
import java.io.IOException;

import the.bytecode.club.bytecodeviewer.util.*;

public class Zipslip {

    public static void main(String[] args) {
        
        try {
            ZipUtils.unzipFilesToPath("C:\\evil.zip", "D:\\test\\test");  //evil.zip contains ../../evil.exe
        } catch (IOException e) {
            e.printStackTrace();
        }

    }

}

Impact

The impact of a Zip Slip vulnerability would allow an attacker to create or overwrite existing files on the filesystem. In the context of a web application, a web shell could be placed within the application directory to achieve code execution.

We are processing your report and will contact the konloch/bytecode-viewer team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the konloch/bytecode-viewer team and are waiting to hear back a year ago

konloch

commented a year ago

Maintainer

Hi, thank you for this report, I will let the collaborators know and we will look into this.

We have sent a follow up to the konloch/bytecode-viewer team. We will try again in 7 days. a year ago

konloch validated this vulnerability a year ago

ready-research has been awarded the disclosure bounty

The fix bounty is now up for grabs

ready-research

commented a year ago

Researcher

@konloch Thanks for the quick response and fix. Please confirm the fix, to disclose this publicly.

konloch marked this as fixed in v2.16.0 with commit c968e9 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

konloch

commented a year ago

Maintainer

@ready-research thank you again for the report!

ready-research

commented a year ago

Researcher

@admin Can I get a CVE for this?

@konloch Are you okay to assign a CVE for this issue? Which will alert the users of your package about this vulnerability. Huntr will assign a CVE if you agrees.

Jamie Slome

commented a year ago

Admin

Once we get @maintainer approval, we are more than happy to assign a CVE here.

konloch

commented a year ago

Maintainer

Hey everyone, I opened a security advisory on Github and they have been able to get a CVE for this issue - CVE-2022-21675

Here is the Github Security Advisory - https://github.com/Konloch/bytecode-viewer/security/advisories/GHSA-3wq9-j4fc-4wmc

Thank you again for this report!

Jamie Slome

commented a year ago

Admin

@konlock - great!

For your reference, we can arrange the creation and publishing of a CVE on your behalf in the future, if you prefer.

Great work all! 🎊

to join this conversation

We are processing your report and will contact the konloch/bytecode-viewer team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the konloch/bytecode-viewer team and are waiting to hear back a year ago

konloch

commented a year ago

Maintainer

Hi, thank you for this report, I will let the collaborators know and we will look into this.

We have sent a follow up to the konloch/bytecode-viewer team. We will try again in 7 days. a year ago

konloch validated this vulnerability a year ago

ready-research has been awarded the disclosure bounty

The fix bounty is now up for grabs

ready-research

commented a year ago

Researcher

@konloch Thanks for the quick response and fix. Please confirm the fix, to disclose this publicly.

konloch marked this as fixed in v2.16.0 with commit c968e9 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

konloch

commented a year ago

Maintainer

@ready-research thank you again for the report!

ready-research

commented a year ago

Researcher

@admin Can I get a CVE for this?

@konloch Are you okay to assign a CVE for this issue? Which will alert the users of your package about this vulnerability. Huntr will assign a CVE if you agrees.

Jamie Slome

commented a year ago

Admin

Once we get @maintainer approval, we are more than happy to assign a CVE here.

konloch

commented a year ago

Maintainer

Hey everyone, I opened a security advisory on Github and they have been able to get a CVE for this issue - CVE-2022-21675

Here is the Github Security Advisory - https://github.com/Konloch/bytecode-viewer/security/advisories/GHSA-3wq9-j4fc-4wmc

Thank you again for this report!

Jamie Slome

commented a year ago

Admin

@konlock - great!

For your reference, we can arrange the creation and publishing of a CVE on your behalf in the future, if you prefer.

Great work all! 🎊

to join this conversation