Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Several directory traversal vulnerabilities #369

Closed
tuzovakaoff opened this issue Jun 14, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@tuzovakaoff
Copy link

commented Jun 14, 2018

Overview

This issue is similar to already closed #315 but I found two ways to bypass that fix.

You can find files for tests in https://github.com/tuzovakaoff/zip_path_traversal

Proof of concept:

rubyzip.rb
require 'zip'
first_arg, *the_rest = ARGV

Zip::File.open(first_arg) do |zip_file|
  zip_file.each do |entry|
    puts "Extracting #{entry.name}"
    entry.extract(entry.name)
  end
end

1. Files with absolute path

UnZip strips absolute path

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> unzip absolutepath.zip
Archive:  absolutepath.zip
warning:  stripped absolute path spec from /tmp/
   creating: tmp/
warning:  stripped absolute path spec from /tmp/file.txt
  inflating: tmp/file.txt

> ls
absolutepath.zip	symlink.zip
rubyzip.rb		tmp

rubyzip extracts files with absolute path

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> ruby rubyzip.rb absolutepath.zip
Extracting /tmp/
Extracting /tmp/file.txt

> ls
absolutepath.zip        rubyzip.rb              symlink.zip

> ls /tmp
file.txt

2. Archive with symbolic link

UnZip extracts only symbolic link

> unzip symlink.zip
Archive:  symlink.zip
    linking: path                    -> ../../../../../tmp
checkdir error:  path exists but is not directory
                 unable to process path/file.txt.
finishing deferred symbolic links:
  path                   -> ../../../../../tmp


> ls -l path
lrwxr-xr-x  1 user  group  18 Jun 14 21:19 path -> ../../../../../tmp

rubyzip extracts symbolic link and puts file into /tmp folder

> ruby rubyzip.rb symlink.zip 
Extracting path
Extracting path/file.txt

> ls -l path
lrwxr-xr-x  1 user  group  18 Jun 14 21:22 path -> ../../../../../tmp

>ls /tmp
file.txt

Vulnerable version and test environment

> uname -rsv
Darwin 17.6.0 Darwin Kernel Version 17.6.0: Tue May  8 15:22:16 PDT 2018; root:xnu-4570.61.1~1/RELEASE_X86_64

> ruby -v
ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-darwin17]

> gem list | grep zip
rubyzip (1.2.1)
> uname -rsv
Linux 2.6.32-573.18.1.el6.x86_64 #1 SMP Tue Feb 9 22:46:17 UTC 2016

> ruby -v
ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]

> gem list | grep zip
rubyzip (1.2.1)
@abergmann

This comment has been minimized.

Copy link

commented Jun 27, 2018

CVE-2018-1000544 was assigned to this issue.

zammad-sync pushed a commit to zammad/zammad that referenced this issue Aug 27, 2018

Added dependency vulerability check exclusion for CVE-2018-1000544 (r…
…ubyzip/rubyzip#369) which only affects test env (selenium-webdriver dependency) until it's resolved (rubyzip/rubyzip#376).

zammad-sync pushed a commit to zammad/zammad that referenced this issue Aug 27, 2018

Added dependency vulerability check exclusion for CVE-2018-1000544 (r…
…ubyzip/rubyzip#369) which only affects test env (selenium-webdriver dependency) until it's resolved (rubyzip/rubyzip#376).

@Bodacious Bodacious referenced this issue Aug 27, 2018

Merged

Issue 532 #1847

mkdynamic added a commit to delighted/rubyzip that referenced this issue Aug 28, 2018

mkdynamic added a commit to delighted/roo that referenced this issue Aug 28, 2018

marekciupak added a commit to marekciupak/myroomie that referenced this issue Sep 1, 2018

Update rubyzip
To fix the following vulnerability:

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
@mrtc0

This comment has been minimized.

Copy link

commented Sep 3, 2018

Hi,

I think that this fix is inadequate.
The following code can still Pass Traversal and extract to /tmp/ .

$ zipinfo absolutepath.zip
Archive:  absolutepath.zip
Zip file size: 289 bytes, number of entries: 2
drwxr-xr-x  2.1 unx        0 bx stor 18-Jun-14 05:13 /tmp/
-rw-r--r--  2.1 unx        5 bX defN 18-Jun-14 05:13 /tmp/file.txt
2 files, 5 bytes uncompressed, 7 bytes compressed:  -40.0%
require 'zip'

Zip::File.open("./absolutepath.zip") do |zip_file|
  zip_file.each do |entry|
    puts "Extracting #{entry.name}"
    # entry.extract(File.join(test_path, entry.name))
    entry.extract(entry.name)
  end
end

I think that If not specify the destination directory, it should be expanded to the current directory.
What do you think about this?

walro added a commit to walro/extensionator that referenced this issue Sep 3, 2018

Update rubyzip dependency
rubyzip 1.2.2 includes the fix for CVE-2018-1000544: rubyzip/rubyzip#369

tdg5 added a commit to Zensight/extensionator that referenced this issue Sep 4, 2018

Update rubyzip dependency (#8)
* Update rubyzip dependency

rubyzip 1.2.2 includes the fix for CVE-2018-1000544: rubyzip/rubyzip#369

* Update Gemfile.lock to be consistent with the gemspec

shtakai added a commit to shtakai/rspec-retrospective that referenced this issue Sep 4, 2018

Upgrade ffi gem
I am not sure that `bundle audit` said about `rubyzip',
but `github` alerted about 'ffi'.

So that I did
`bundle update ffi --conservative`.

```
Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: remove or disable this gem until a patch is available!

Vulnerabilities found!
```

waterjump pushed a commit to mes/axlsx that referenced this issue Sep 7, 2018

Sean
Address security vulnerability in rubyzip dependency
The rubyzip gem version 1.2.1 contains a security vulnerability allowing
absolute path traversal.  More details can be found here:

rubyzip/rubyzip#369

This change addresses the issue by specifying a rubyzip version greater
than or equal to 1.2.2.

Solves issue randym#599

AdrianCann added a commit to sophomoric/secret that referenced this issue Oct 14, 2018

Update gems with security vulnerabilities
ruby-advisory-db: 323 advisories
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2

AdrianCann added a commit to sophomoric/secret that referenced this issue Oct 14, 2018

Update gems with security vulnerabilities
ruby-advisory-db: 323 advisories
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2

AdrianCann added a commit to sophomoric/secret that referenced this issue Oct 14, 2018

Update gems with security vulnerabilities (#91)
ruby-advisory-db: 323 advisories
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2

rimenes added a commit to rimenes/droptune that referenced this issue Oct 23, 2018

Gem security updates.
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2

wmfgerrit pushed a commit to wikimedia/mediawiki-vagrant that referenced this issue Nov 27, 2018

Update ffi and rubyzip gems
From bundle-audit:

Name: ffi
Version: 1.9.18
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2

Upgrade:

| ffi     | 1.9.18 -> 1.9.25
| rubyzip | 1.2.1 -> 1.2.2

Bug: T209940
Change-Id: I3da41a964ff1128a4cbba3c05976cfcfca2d731f

Koronen added a commit to Koronen/koronen.github.io that referenced this issue Jan 22, 2019

Bump gems
Address a couple of CVEs (as reported by `bundler-audit`).

    Name: ffi
    Version: 1.9.23
    Advisory: CVE-2018-1000201
    Criticality: High
    URL: https://github.com/ffi/ffi/releases/tag/1.9.24
    Title: ruby-ffi DDL loading issue on Windows OS
    Solution: upgrade to >= 1.9.24

    Name: nokogiri
    Version: 1.8.2
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: nokogiri
    Version: 1.8.2
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: rubyzip
    Version: 1.2.1
    Advisory: CVE-2018-1000544
    Criticality: Unknown
    URL: rubyzip/rubyzip#369
    Title: Directory Traversal in rubyzip
    Solution: upgrade to >= 1.2.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.