Pedestrian Fisherman
Challenge Information
Project: apache-commons-compress
Type: delta
Harnesses: 16
Vulnerabilities: 1
AFC Challenge Performance
Number of Unique Vulnerabilities Discovered: #
Number of Teams with Scoring PoVs: 4
Number of Teams with Scoring Patches: 3
Number of Teams with Scoring Bundles: 4
Total Points Scored for this Challenge: 33.012367391714264
What design decisions were considered for this challenge?
Final step on the zip slip ladder in commons-compress
Why this set of vulnerabilities?
This challenge models a single, new feature pull request.
Delta vs Full and why?
Isolated as delta because it would conflict with some other Expander vulnerabilities.
Challenge Harnesses
- ArchiverArFuzzer
- ArchiverArjFuzzer
- ArchiverCpioFuzzer
- ArchiverDumpFuzzer
- ArchiverTarStreamFuzzer
- ArchiverZipStreamFuzzer
- CompressorBZip2Fuzzer
- CompressorDeflate64Fuzzer
- CompressorGzipFuzzer
- CompressorLZ4Fuzzer
- CompressorSnappyFuzzer
- CompressorZFuzzer
- CompressSevenZFuzzer
- CompressTarFuzzer
- CompressZipFuzzer
- ExpanderFuzzer
Challenge Vulnerabilities
path traversal/zip slip via symlinks
Vulnerability Information
Author: Tim Allison
Harness: ExpanderFuzzer
CWE Classification: CWE-35 , CWE-22 , CWE-29
What functions and functionality is relevant?
This targets the Expander and adds a new feature to handle symlinks in zip files.
Why is this vulnerable?
This is vulnerable because the check for writing directories and files does not correctly prevent symlinked files from escaping the target directory.
Is this a replay and/or is inspired by anything?
Symlink zip slips are quite common across a number of libraries. For example: https://security.snyk.io/vuln/SNYK-COCOAPODS-SSZIPARCHIVE-3225821 This description is helpful: https://blog.pentesteracademy.com/from-zip-slip-to-system-takeover-8564433ea542
What makes it interesting?
This requires “reasoning” about symlinks and checking that writes do not escape the target directory. This is the most challenging in the ladder of commons-compress zip slip challenges.