You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
, it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite and other situations.
Proof of Concept
I use a maven project import the utility in pom.xml.
Use the following zip() method to create a zip file from a txt file, and the name of the compressed file will be renamed to "....\a\b\c\poc.txt". (You should create this path firstly)
Then call the Zips.unzip() method, originally intended to unzip the file to "D:\project\TestProject\ICFuzzTest\testData\unzip", but it will eventually be extracted to its another directory "D:\project\TestProject\ICFuzzTest\a\b\c\poc.txt".
This may cause the original file to be overwritten by a high-risk file.
I think we can add a simple verification check on the path to avoid this issue. We can refer to other verification methods for unzip under Apache, such as:
Description
In the method "unzip" (line 111) of the file
hawtio/hawtio-util/src/main/java/io/hawt/util/Zips.java
Line 111 in 268bca2
Proof of Concept
I use a maven project import the utility in pom.xml.
Use the following zip() method to create a zip file from a txt file, and the name of the compressed file will be renamed to "....\a\b\c\poc.txt". (You should create this path firstly)
Then call the Zips.unzip() method, originally intended to unzip the file to "D:\project\TestProject\ICFuzzTest\testData\unzip", but it will eventually be extracted to its another directory "D:\project\TestProject\ICFuzzTest\a\b\c\poc.txt".
This may cause the original file to be overwritten by a high-risk file.
The following is the constructed zip file:
https://github.com/Zlase0820/VulnData/blob/main/src.main/data/poc.zip
Suggestion
I think we can add a simple verification check on the path to avoid this issue. We can refer to other verification methods for unzip under Apache, such as:
https://github.com/apache/druid/blob/master/processing/src/main/java/org/apache/druid/utils/CompressionUtils.java#L242
He has the same error,and fixed in CVE-2023-27603.
The text was updated successfully, but these errors were encountered: