A Zip Slip vulnerability was discovered in Artifactory, the leading software repository manager, allowing attackers to execute arbitrary code through path traversal attacks.
JFrog’s Artifactory is a software repository manager that leads the market. It offers a unified solution for organizing and controlling all the files, binaries, packages, components, and artifacts needed for software supply chain usage.
In early 2021, Egidio Romano, an IT security consultant, discovered a Zip Slip vulnerability in Artifactory. He reported the security flaw to the JFrog private Bug payment Program and was awarded USD 5,000 for it.
Typically, a Zip Slip is an arbitrary file write vulnerability that can be exploited via Path Traversal attacks while processing or extracting an archive file, such as a Zip or Tar archive.
Understanding Path Traversal Attacks
A Path Traversal attack (Directory Traversal) takes advantage of insufficient input validation of user-supplied file names.
As a result, characters that indicate “traverse to parent directory”—also known as dot-dot-slash (../) sequences—are delivered to the file system API of the operating system.
Attackers may use a susceptible program to obtain unauthorized access to the file system and read or write any file on the system.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
Indeed, in both reading and writing modes, an application may be vulnerable to Path Traversal attacks.
These attacks may result in arbitrary file read primitives that could expose Information Disclosure attack vectors; in the latter scenario, they may result in arbitrary file write primitives that could expose Remote Code Execution (RCE) attacks.
Zip Slip Vulnerability in JFrog Artifactory
A Zip Slip vulnerability is located in the org.artifactory.addon.bower.helpers.BowerExternalDependenciesHandler class.
When handling the “external dependencies rewrite” of Bower packages, the extractBowerPackage() function is invoked.
This, in turn, calls the vulnerable copyEntryToFile() method for each entry inside the Bower package (which is meant to be a.tar.gz file).
The file is then actually extracted from the package and written to the file system using a kind of File object.
“This can be exploited to write (or overwrite) arbitrary files on the remote web server by providing a malicious Bower package containing dot-dot-slash (../) sequences within its entry filenames, resulting in Remote Code Execution (RCE) attacks”, reads the blog.
Romano claims that although an admin account is needed to create the Bower repositories, this does not always imply that an admin account is needed to exploit the bug successfully.
Non-admin users having the ability to deploy artifacts in a Bower Virtual Repository with the “Enable Dependency Rewrite” option selected may also take advantage of it.
Final Words
These kinds of security flaws originate from human error, such as forgetfulness or erroneous assumptions, as they do in 99% of cases.
All that Zip Slip does is take advantage of developers’ lack of control by writing arbitrary files within unexpected folders employing a Path Traversal vulnerability.
In this case, attackers may use this to gain total control of devices running programs that are susceptible to Zip Slip attacks.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free