Last active
January 5, 2022 14:04
-
-
Save snoopysecurity/007503097536b557bc22a7ef24f4d11d to your computer and use it in GitHub Desktop.
Revisions
-
snoopysecurity revised this gist
Jan 5, 2022 . 1 changed file with 1 addition and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -41,14 +41,9 @@ async fn main() { })); } for handle in handles { handle.await.unwrap(); } } ``` -
Jan 4, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,8 @@ [rs-async-zip](https://github.com/Majored/rs-async-zip) is a asynchronous ZIP archive reading/writing crate with a heavy focus on streaming support. This package is vulnerable to Zip Traversal (Zip Slip). **Note:** This issue was privately disclosed to the maintainer. He has stated that he has made conscious decision not to mitigate any sort of traversal attacks within the library itself. He has however added a notice to to the example code https://github.com/Majored/rs-async-zip/commit/08587b8933f80f8a70b4e313313f2fffc22c983a ZIP Traversal Attacks is a form of a Directory Traversal that can be exploited by extracting files from an archive. More about this type of vulnerability can be read about here: [https://snyk.io/research/zip-slip-vulnerability](https://snyk.io/research/zip-slip-vulnerability) ### PoC/Steps to Reproduce -
Jan 4, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,52 @@ ### Introduction [rs-async-zip](https://github.com/Majored/rs-async-zip) is a asynchronous ZIP archive reading/writing crate with a heavy focus on streaming support. This package is vulnerable to Zip Traversal (Zip Slip). ZIP Traversal Attacks is a form of a Directory Traversal that can be exploited by extracting files from an archive. More about this type of vulnerability can be read about here: [https://snyk.io/research/zip-slip-vulnerability](https://snyk.io/research/zip-slip-vulnerability) ### PoC/Steps to Reproduce 1) Download the Zip file which contains a file called ../../../../../../../tmp/test.txt (Download link: https://github.com/snoopysecurity/Public/blob/master/payloads/shell.zip) 2) Run the below code and provide the path to shell.zip ``` use std::path::Path; use std::sync::Arc; use async_zip::read::fs::ZipFileReader; use tokio::fs::File; #[tokio::main] async fn main() { let zip = Arc::new(ZipFileReader::new("/home/snoopy/shell.zip").await.unwrap()); println!("Extracting Archive"); let mut handles = Vec::with_capacity(zip.entries().len()); for (index, entry) in zip.entries().iter().enumerate() { if entry.dir() { continue; } let local_zip = zip.clone(); handles.push(tokio::spawn(async move { let reader = local_zip.entry_reader(index).await.unwrap(); let path_str = format!("./output/{}", reader.entry().name()); let path = Path::new(&path_str); tokio::fs::create_dir_all(path.parent().unwrap()).await.unwrap(); let mut output = File::create(path).await.unwrap(); reader.copy_to_end_crc(&mut output, 65536).await.unwrap(); })); } for handle in handles { handle.await.unwrap(); } } ```