This blog post was inspired by https://www.youtube.com/watch?v=Ry_yb5Oipq0 (Critical .zip vulnerabilities? - Zip Slip and ZipperDown)
I stumbled this video when I was looking for a new tutorial video of security on youtube. It got my attention since I haven't heard any vulnerabilities that associated with a ZIP file, I proceed to watch the video and it blows my mind.
It turns out there is a malicious "way" that you can do to craft a zip file so it can cause directory traversal attack and what makes more interesting is that this vulnerability affect multiple libraries and programming language
At this point, I was thinking about how this vulnerability can be implemented in the android environment. So in this blog post, I will try to recreate the vulnerability in android application and how can you as a developer secure against this attack.
we start by defining some UI components for the app: I create 2 EdiText which is for name and secret, The last three is just button that will invoke shared preferences and zip functionality. We also initialized Shared Preferences with the name "data" and set the MODE to be private so this means that the app is the only who can interact with this file
I don't care about the UI, I'm just going to make it as simple as possible
Next, we define our button to have a listener like this:
the save button will take the input from the name and secret edit text UI components and mapped it to "name" and "secret" key before it saved. Whereas the update button will call a vulnerable function called "extractzipfile" this function will extract a zip file called update.zip located in /storage/emulated/0/
Inside the function, I separated the code into 4 components:
1st is basically just initialization for file object and Zipfile object, the variable "dstdir" will hold the parent folder of the file that we want to extract this will be used as the destination path to our extracted file.
2nd is pretty straightforward inside the zip file there will be multiple files that are saved inside we like to iterate this list file by assigning it to enumeration object
3rd is responsible to get the entry name on each file inside the zip file and create a new directory to store this file.
4th is responsible to copy the content of the file and save it to a new directory that just created earlier.
make sure you granted the application permission if you use a newer android device, like this:
now to create the exploit you have to create a zip file that contains a file that name starts with "../../../../../" to all of you who have experienced with web security you should be familiar with this payload when you do LFI attack. Basically what we do here is to move back several times until it hits the root directory and append this payload with the path of the file you want to overwrite.
In this case it is going to be like this: "../../../../../../../../data/data/com/williams.zipslip.shared_prefs/data.xml"
to do this I need to do several preparations:
1. I need to forge the file "data.xml" to have content that I want and make sure you do this you back up the original file because we want it to restore it again
2. After editing the file, I create the zip using this command:
~# zip /storage/emulated/0/update.zip ../../../../../../../../data/data/com/williams.zipslip.shared_prefs/data.xml
3. once it's done revert the modified file to its original value.
run the application again and try to click the update button and you will see that the data.xml is replaced with a rogue data.xml that we just created earlier
cool, right?! so we just hijacked the application internal file using "Zipslip" vulnerability
if we try to debug the application and look at the application register you can see something interesting like this:
since there is no input sanitization we were able to append the destination folder with the payload that leads to overwriting the data.xml file
we update the secure_update button to called the secure_extractzipfile() function that behaves like extractzipfile() function but with additional security check
using getCanonicalPath() function we can use this to check if there is any suspicious character in the file name. Run the application one more time and when you try to extract the zip file again it will show error like this:
I hope you enjoy this material I'll see you in the next post.
(Image source: https://media.makeameme.org/created/zip-it.jpg)
I stumbled this video when I was looking for a new tutorial video of security on youtube. It got my attention since I haven't heard any vulnerabilities that associated with a ZIP file, I proceed to watch the video and it blows my mind.
It turns out there is a malicious "way" that you can do to craft a zip file so it can cause directory traversal attack and what makes more interesting is that this vulnerability affect multiple libraries and programming language
Background:
I get to the bottom of this to get more understanding of the attack so I download the technical white paper and start reading it thoroughly-ish....(whitepaper link). Originally "Zipslip" vulnerability was discovered and responsibly disclosed by the Snyk Security team on 5th June 2018, it was described as follow: https://github.com/sleepyowl-beep/android_security/blob/master/ZipSlip.zip"Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. "So what is the capability that the attacker has with this vulnerability:
- Overwrite executable file
- Invoke the executable file thus launching RCE(Remote Code Execution Attack) on the victim's machine
At this point, I was thinking about how this vulnerability can be implemented in the android environment. So in this blog post, I will try to recreate the vulnerability in android application and how can you as a developer secure against this attack.
Creating a Vulnerable Application:
For the purpose of the demonstration, I'm gonna create an application that has several functionalities on it- SharedPreferences functionality to store a "secret" in it
- An Extract zip function that programmed to look for "update.zip" file in the external storage directory this function will contain a vulnerable piece of code that triggers "Zipslip" vulnerability that allows us to overwrite the "secret" file
we start by defining some UI components for the app: I create 2 EdiText which is for name and secret, The last three is just button that will invoke shared preferences and zip functionality. We also initialized Shared Preferences with the name "data" and set the MODE to be private so this means that the app is the only who can interact with this file
I don't care about the UI, I'm just going to make it as simple as possible
Next, we define our button to have a listener like this:
the save button will take the input from the name and secret edit text UI components and mapped it to "name" and "secret" key before it saved. Whereas the update button will call a vulnerable function called "extractzipfile" this function will extract a zip file called update.zip located in /storage/emulated/0/
Inside the function, I separated the code into 4 components:
1st is basically just initialization for file object and Zipfile object, the variable "dstdir" will hold the parent folder of the file that we want to extract this will be used as the destination path to our extracted file.
2nd is pretty straightforward inside the zip file there will be multiple files that are saved inside we like to iterate this list file by assigning it to enumeration object
3rd is responsible to get the entry name on each file inside the zip file and create a new directory to store this file.
4th is responsible to copy the content of the file and save it to a new directory that just created earlier.
Exploit:
Now as we ready with the code lets try to install the app to the android device you can use a real device or emulator(for this post I'll use an emulator). when you execute the save button and fill the input you should see a data.xml saved inside the shared preferences folder inside the application directory.
make sure you granted the application permission if you use a newer android device, like this:
now to create the exploit you have to create a zip file that contains a file that name starts with "../../../../../" to all of you who have experienced with web security you should be familiar with this payload when you do LFI attack. Basically what we do here is to move back several times until it hits the root directory and append this payload with the path of the file you want to overwrite.
In this case it is going to be like this: "../../../../../../../../data/data/com/williams.zipslip.shared_prefs/data.xml"
to do this I need to do several preparations:
1. I need to forge the file "data.xml" to have content that I want and make sure you do this you back up the original file because we want it to restore it again
2. After editing the file, I create the zip using this command:
~# zip /storage/emulated/0/update.zip ../../../../../../../../data/data/com/williams.zipslip.shared_prefs/data.xml
3. once it's done revert the modified file to its original value.
run the application again and try to click the update button and you will see that the data.xml is replaced with a rogue data.xml that we just created earlier
cool, right?! so we just hijacked the application internal file using "Zipslip" vulnerability
if we try to debug the application and look at the application register you can see something interesting like this:
since there is no input sanitization we were able to append the destination folder with the payload that leads to overwriting the data.xml file
Securing the application:
Now that we know how to launch the exploit lets try to secure the application, luckily it does not require a lot of additional code, like this:
we update the secure_update button to called the secure_extractzipfile() function that behaves like extractzipfile() function but with additional security check
using getCanonicalPath() function we can use this to check if there is any suspicious character in the file name. Run the application one more time and when you try to extract the zip file again it will show error like this:
Recap:
In this post we are looking at zip vulnerability that could occur in the android environment and how an adversary could use this opportunity to attack your application. However, you should notice that this attack is capable to execute because the zip file is store in an external storage directory enable to write and read by all the applications in the device. This would indicate that in order to successfully exploit this vulnerability in android the attacker needs to have some other condition to support this exploit.I hope you enjoy this material I'll see you in the next post.
Comments
Post a Comment