Path traversal bugs in archive formats

Malware has shown up which takes advantage of a path traversal bug in the WinRAR archiving utility. The bug, which reportedly existed for 19 years, is fixed in the latest version. The problem stems from an old, buggy DLL which WinRAR used. It allowed the expansion of an archive with a file that would be extracted to an absolute path rather than the destination folder. In this case, the path was the system startup folder. The next time the computer was rebooted, it would run the malware file.

Path traversal bugs turn up more often than we’d like in archival utilities. A safe utility should expand only into the destination folder. It has to reject paths that start with “../” or ones that specify an absolute path. Sometimes developers forget. The Zip Slip vulnerability, reported in June 2018, was described as “a bit of bad programming that’s been repeated over and over and over again, in lots of different projects.” There’s a GitHub page dedicated to tracking software that has the Zip Slip problem. I think the WinRAR bug qualifies as a Zip Slip issue. It’s unusual mostly in that there’s an active malware campaign taking advantage of it.

This kind of exploit might sneak past people who are normally careful. They’ll think it must be safe to open an archive, as long as they’re careful about what they do with the expanded files. They don’t expect that the mere act of opening the archive will infect their computers.

There are two lessons to learn here.

  • To anyone writing an archive utility: Please be sure to sanitize expansion paths or otherwise make sure nothing can expand to a location outside the destination folder. Using a well-tested library is generally safer than writing your own code.
  • To anyone getting an archive file from a suspicious source: If in doubt, don’t open it.

Perhaps I should add one more. Malware checkers should examine ZIP, GZIP, and other archive files for paths that try to escape their confines. I don’t know how many of them do.

Comments are closed.