We recently discovered that the patch for the historical vulnerability CVE-2018-1002201 in zt-zip is incomplete.
zt-zip added the following checks to restrict arbitrary malicious file creation and writing:
+ if (name.indexOf("..") != -1 && !destFile.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) {
+ throw new MaliciousZipException(outputDir, name);
+ }
However, an attacker could craft a malicious request to bypass this patch. For security reasons, we are not providing the specific exploit here. As a reference, a similar incomplete fix occurred in Tomcat. CVE-2020-9484 used the same method to address the vulnerability, but CVE-2021-25329 exposed the shortcomings of that fix.
- if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+ if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
Promblem Statement
We recently discovered that the patch for the historical vulnerability CVE-2018-1002201 in zt-zip is incomplete. zt-zip added the following checks to restrict arbitrary malicious file creation and writing:
However, an attacker could craft a malicious request to bypass this patch. For security reasons, we are not providing the specific exploit here. As a reference, a similar incomplete fix occurred in Tomcat. CVE-2020-9484 used the same method to address the vulnerability, but CVE-2021-25329 exposed the shortcomings of that fix.
The patch for CVE-2020-9484(https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b#diff-d2801d6b9c9ff6f98a6871accb7e61499ed3899f5234028997387ad65906e5e7):
The patch for CVE-2021-25329(https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4)
Recommended Fix (pr#https://github.com/zeroturnaround/zt-zip/pull/158)