10

I've seen lately some bugs that used zip symlink technique , can anyone explain how this vulnerability works , how attackers use it to exploit applications?

Thanks

Daniel
  • 1,422
  • 3
  • 21
  • 32

1 Answers1

20

Symlinks are like shortcuts, so if you create a symlink pointing to /etc/passwd, when you open the symlink your O.S. will open /etc/passwd.

How the attack works?

1) Create a symlink in your computer to /etc/passwd

e.g.: ln -s /etc/passwd ./symlink.jpg

2) Create a zip with the symlink

e.g.: zip —symlinks -r photos.zip ./symlink.jpg

3) Upload the photos.zip to the target server.

Let's say the server unzip the file in the following address: vulnerable.com/user/10000/images/

If you access vulnerable.com/user/10000/images/symlink.jpg you will see the server's /etc/passwd.

Why do you need the zip trick?

If you upload the symlink direct to the target, in this case, you will actually be uploading your own /etc/passwd, so you need the zip (with the -symlink argument) to conserve the characteristics of your symlink.

Lucas NN
  • 1,336
  • 8
  • 21
  • So, zip will only create symlinks if uncompressed with the -symlink option set? Sounds more like a feature than a vulnerability. But the outcome depend heavily on the context it is used in. – Dog eat cat world Nov 27 '14 at 08:49
  • 1
    @Dogeatcatworld No, it can be uncompressed without any special flag. – Lucas NN Nov 27 '14 at 16:55
  • Regarding uploading the symlink directly - what about locally broken symlinks? That wouldn't be broken on the target. – Bell Jun 02 '17 at 22:08
  • There is also a Python script to create .zip archives with arbitrary symlinks, so you don't need to make symlinks with 'ln' first: https://stackoverflow.com/a/65817451/6910868 – Maxim Masiutin Jan 21 '21 at 18:51