A newly identified variant of the Zip Slip vulnerability has surfaced, allowing cybercriminals to exploit path traversal flaws in widely used decompression utilities. By crafting malicious archives with specially constructed file names containing relative paths, attackers can manipulate the extraction process to write files outside the intended directories, potentially overwriting critical system or application binaries.
Understanding the Zip Slip Vulnerability
Zip Slip is a security flaw that arises when decompression tools fail to properly validate file paths within archive files. This oversight enables attackers to create archives with file entries that, upon extraction, traverse directories and place files in unintended locations. Such manipulations can lead to unauthorized file creation or modification, posing significant risks to system integrity and security.
Mechanism of the Exploit
In this latest variant, attackers embed file names with relative path sequences (e.g., `../../`) into ZIP archives. When these archives are extracted using vulnerable decompression utilities, the embedded paths are processed without adequate sanitization, resulting in files being written to arbitrary locations on the file system. This technique can be exploited to overwrite essential system files, inject malicious scripts, or establish persistent backdoors.
Real-World Exploitation
Initial detections of this exploit occurred during internal penetration tests. However, more sophisticated attacks have been attributed to the RomCom Advanced Persistent Threat (APT) group, which has demonstrated the use of this vulnerability in live enterprise environments. In one notable instance, a compromised email attachment delivered a ZIP archive that, when extracted with an outdated decompression tool, silently replaced a legitimate startup script, thereby granting the attacker persistent access to the system.
Technical Details
Analysis by ASEC analysts revealed that this variant leverages the general-purpose bit flag in the ZIP header to encode path separators that evade detection by signature-based scanners. Specifically, the filename field within the archive contains path segments separated by percent-encoded slashes, which are decoded only during file creation. This method effectively bypasses traditional security measures that rely on static signature detection.
Vulnerable Software and CVEs
Several decompression utilities have been identified as vulnerable to this exploit, including:
– WinRAR: Versions prior to 7.13 are affected by CVE-2025-8088, which allows bypassing path validation via Alternate Data Stream traversal.
– WinRAR: Versions before 7.12 are susceptible to CVE-2025-6218, a remote code execution flaw that sidesteps relative path filters when spaces are used.
– RARLAB Unrar: Versions before 6.12 are impacted by CVE-2022-30333, enabling attackers to overwrite SSH `authorized_keys` files through path traversal.
– WinRAR: Versions prior to 5.61 are vulnerable to CVE-2018-20250, which exploits ACE format extraction to bypass filtering logic in `UNACEV2.dll`.
Implications for System Security
The exploitation of this vulnerability can have severe consequences, including:
– Unauthorized Access: Attackers can implant backdoors, allowing persistent access to compromised systems.
– Privilege Escalation: By overwriting system binaries or scripts, attackers can escalate their privileges, gaining higher levels of control over the system.
– Data Integrity Compromise: Critical files may be modified or replaced, leading to data corruption or loss.
Mitigation Strategies
To protect against this vulnerability, it is essential to implement the following measures:
1. Update Decompression Utilities: Ensure that all decompression tools are updated to the latest versions that include patches for known vulnerabilities.
2. Employ Decompression Libraries with Path Traversal Checks: Utilize decompression libraries that have built-in mechanisms to detect and prevent path traversal attempts.
3. Enforce Extraction within Sandboxed Environments: Perform file extraction operations within controlled environments to limit potential damage from malicious archives.
4. Implement Strict Directory Validation: Configure decompression tools to enforce strict validation of file paths during extraction, preventing files from being written outside designated directories.
5. Educate Users: Train users to recognize and avoid opening archives from untrusted sources, reducing the risk of inadvertent exploitation.
Conclusion
The emergence of this Zip Slip variant underscores the critical need for robust input validation and path sanitization in decompression utilities. By understanding the mechanics of this exploit and implementing comprehensive mitigation strategies, organizations can safeguard their systems against unauthorized file manipulation and maintain the integrity of their data.
