Path traversal flaws like Zip Slip, which give hackers the ability to alter file systems while decompressing, remain a serious danger in the ever-changing world of cybersecurity threats.
This vulnerability, stemming from inadequate input validation in compression utilities, enables adversaries to embed malicious paths within archive files, leading to unauthorized file creation, overwriting, or execution outside intended directories.
Discovered and documented extensively in recent years, Zip Slip affects a wide array of compression formats including ZIP, TAR, RAR, and 7Z, exploiting the inherent inclusion of file path metadata in these structures.
As decompression tools process these archives without rigorous path sanitization, attackers can leverage relative or absolute paths to target sensitive system locations, potentially resulting in remote code execution or persistent backdoors.
This article delves into the mechanics of Zip Slip, highlighting its exploitation techniques and notable vulnerabilities that have impacted major software like WinRAR and Unrar.
Mechanics of Zip Slip Exploitation
According to ASEC report, zip Slip operates by injecting crafted file paths into the metadata of compressed archives, which are then interpreted literally during extraction.
In essence, when a vulnerable decompression program encounters a file name containing traversal sequences such as “../” or absolute paths, it fails to normalize or restrict them, allowing files to be written to unintended locations.
For instance, in a Linux environment, an attacker might embed a path like “../../../../etc/passwd” within a ZIP archive, overwriting the system’s password file upon extraction and potentially compromising user authentication mechanisms.
Similarly, on Windows systems, paths targeting the Startup folder such as “/../AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/” could deploy persistent malware that executes on boot, evading initial detection due to the benign appearance of the archive.
The vulnerability’s universality stems from the structural design of compression formats, where file headers explicitly store path information.
Consider the ZIP format’s local file header, which begins with a magic number (0x504B0304) and includes fields for version compatibility, compression method (e.g., DEFLATE encoded as 0x0800), timestamps, CRC-32 checksums for integrity verification, and crucially, the file name length and content starting at byte offset 30.
This file name field can encompass full paths, enabling subdirectory creation or traversal.
Attackers often manipulate this using tools like Python’s zipfile module to insert relative paths, or by directly editing the binary structure of the archive.
For RAR and TAR formats, similar header structures such as RAR’s block headers containing path strings or TAR’s 100-byte file name field facilitate analogous exploits.
Even encrypted formats like 7Z, while obfuscating plaintext paths, remain susceptible if post-decryption processing neglects validation, underscoring the need for canonical path resolution and boundary checks in decompression logic.
To illustrate, the following table outlines key components of a ZIP local file header, highlighting areas prone to manipulation:
| Bytes | Size | Description |
|---|---|---|
| 0 | 4 | Magic number (must be 50 4B 03 04) |
| 4 | 2 | Version needed to extract (minimum) |
| 6 | 2 | General purpose bit flag |
| 8 | 2 | Compression method (e.g., none = 0, DEFLATE = 8) |
| 10 | 2 | File last modification time |
| 12 | 2 | File last modification date |
| 14 | 4 | CRC-32 of uncompressed data |
| 18 | 4 | Compressed size (or FF FF FF FF for ZIP64) |
| 22 | 4 | Uncompressed size (or FF FF FF FF for ZIP64) |
| 26 | 2 | File name length (n) |
| 28 | 2 | Extra field length (m) |
| 30 | n | File name |
| 30+n | m | Extra field |
This structure reveals how the file name entry, unbounded by strict validation, becomes a vector for path traversal.
Notable Vulnerabilities
Recent disclosures have amplified concerns over Zip Slip’s real-world impact. CVE-2025-8088, affecting WinRAR versions prior to 7.13, allows attackers to bypass path checks using “../” sequences combined with Alternate Data Streams (ADS), enabling arbitrary file creation.
Discovered by ESET researchers, this flaw has been exploited by the RomCom APT group in targeted campaigns.
Similarly, CVE-2025-6218 in WinRAR before 7.12 facilitates remote code execution by embedding spaces in relative paths, circumventing filters and allowing payload deployment.
Older issues like CVE-2022-30333 in Unrar versions below 6.12 target Unix-like systems, overwriting files such as ~/.ssh/authorized_keys via basic traversal strings, while CVE-2018-20250 in WinRAR prior to 5.61 exploits ACE format handling in UNACEV2.dll, bypassing character filters for parent directory access.
In conclusion, Zip Slip’s potency lies in its low-barrier exploitation requiring only user-initiated decompression making it a favored tactic for delivering payloads without direct execution.
Mitigation demands robust path normalization in software, such as rejecting absolute paths or those with traversal elements, alongside user vigilance against unsolicited archives.
Regular updates to tools like WinRAR are essential, as unpatched versions remain gateways for advanced persistent threats.
As compression utilities integrate into broader ecosystems, including automated build pipelines and cloud services, addressing Zip Slip through secure coding practices is imperative to safeguard against evolving file manipulation attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
