Skip to main content

Zip IT! Study Case of Android ZipSlip Vulnerability (day 92) ~(˘▾˘~)

This blog post was inspired by https://www.youtube.com/watch?v=Ry_yb5Oipq0 (Critical .zip vulnerabilities? - Zip Slip and ZipperDown)


I stumbled this video when I was looking for a new tutorial video of security on youtube. It got my attention since I haven't heard any vulnerabilities that associated with a ZIP file, I proceed to watch the video and it blows my mind.

It turns out there is a malicious "way" that you can do to craft a zip file so it can cause directory traversal attack and what makes more interesting is that this vulnerability affect multiple libraries and programming language

Background:

I get to the bottom of this to get more understanding of the attack so I download the technical white paper and start reading it thoroughly-ish....(whitepaper link). Originally "Zipslip" vulnerability was discovered and responsibly disclosed by the Snyk Security team on 5th June 2018, it was described as follow: https://github.com/sleepyowl-beep/android_security/blob/master/ZipSlip.zip
"Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. "
 So what is the capability that the attacker has with this vulnerability:
  1. Overwrite executable file
  2. Invoke the executable file thus launching RCE(Remote Code Execution Attack) on the victim's machine 
Pretty scary huh?! Bad news for the developer but good news for us :)

At this point, I was thinking about how this vulnerability can be implemented in the android environment. So in this blog post, I will try to recreate the vulnerability in android application and how can you as a developer secure against this attack.

Creating a Vulnerable Application:

For the purpose of the demonstration, I'm gonna create an application that has several functionalities on it

  1. SharedPreferences functionality to store a "secret" in it
  2. An Extract zip function that programmed to look for "update.zip" file in the external storage directory this function will contain a vulnerable piece of code that triggers "Zipslip" vulnerability that allows us to overwrite the "secret" file
Full code:



we start by defining some UI components for the app: I create 2 EdiText which is for name and secret, The last three is just button that will invoke shared preferences and zip functionality. We also initialized Shared Preferences with the name "data" and set the MODE to be private so this means that the app is the only who can interact with this file

I don't care about the UI, I'm just going to make it as simple as possible


Next, we define our button to have a listener like this:



the save button will take the input from the name and secret edit text UI components and mapped it to "name" and "secret" key before it saved. Whereas the update button will call a vulnerable function called "extractzipfile" this function will extract a zip file called update.zip located in /storage/emulated/0/



Inside the function, I separated the code into 4 components:

1st is basically just initialization for file object and Zipfile object, the variable "dstdir" will hold the parent folder of the file that we want to extract this will be used as the destination path to our extracted file.

2nd is pretty straightforward inside the zip file there will be multiple files that are saved inside we like to iterate this list file by assigning it to enumeration object

3rd is responsible to get the entry name on each file inside the zip file and create a new directory to store this file.

4th is responsible to copy the content of the file and save it to a new directory that just created earlier.

Exploit:

Now as we ready with the code lets try to install the app to the android device you can use a real device or emulator(for this post I'll use an emulator). when you execute the save button and fill the input you should see a data.xml saved inside the shared preferences folder inside the application directory.



make sure you granted the application permission if you use a newer android device, like this:


now to create the exploit you have to create a zip file that contains a file that name starts with "../../../../../" to all of you who have experienced with web security you should be familiar with this payload when you do LFI attack. Basically what we do here is to move back several times until it hits the root directory and append this payload with the path of the file you want to overwrite.

In this case it is going to be like this: "../../../../../../../../data/data/com/williams.zipslip.shared_prefs/data.xml"

to do this I need to do several preparations:

1. I need to forge the file "data.xml" to have content that I want and make sure you do this you back up the original file because we want it to restore it again

2. After editing the file, I create the zip using this command:

~# zip /storage/emulated/0/update.zip ../../../../../../../../data/data/com/williams.zipslip.shared_prefs/data.xml

3. once it's done revert the modified file to its original value.

run the application again and try to click the update button and you will see that the data.xml is replaced with a rogue data.xml that we just created earlier



cool, right?! so we just hijacked the application internal file using "Zipslip" vulnerability

if we try to debug the application and look at the application register you can see something interesting like this:



since there is no input sanitization we were able to append the destination folder with the payload that leads to overwriting the data.xml file

Securing the application:

Now that we know how to launch the exploit lets try to secure the application, luckily it does not require a lot of additional code, like this:



we update the secure_update button to called the secure_extractzipfile() function that behaves like extractzipfile() function but with additional security check



using getCanonicalPath() function we can use this to check if there is any suspicious character in the file name. Run the application one more time and when you try to extract the zip file again it will show error like this:


Recap:

In this post we are looking at zip vulnerability that could occur in the android environment and how an adversary could use this opportunity to attack your application. However, you should notice that this attack is capable to execute because the zip file is store in an external storage directory enable to write and read by all the applications in the device. This would indicate that in order to successfully exploit this vulnerability in android the attacker needs to have some other condition to support this exploit.

I hope you enjoy this material I'll see you in the next post.


Comments

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi