Summary
Hutool is a java tool library that provides a wealth of utility class and methods so that the developers can handle a variety of common tasks in Java applications. It is widely used in Java development because of its simplicity operation, rich functionality, and exceptional performance.
The author selected the common vulnerabilities of the Hutool component for research by analyzing components introduced in hundreds of real projects. This analysis is about the directory traversal vulnerability CVE-2018–17297 when Hutool-core performs unzip operations.
Hutool-core components include Bean operations, dates, various Util, etc,of which the ZipUtil class will be used when compressing or decompressing files.
Information
• Name:Directory Traversal Vulnerability
• Number:CVE-2018–17297
• Type:CWE-22 Directory Traversal
• CVSS Score:CVSS v3.1:7.5
• Severity Level:high
The unzip function of the library’s ZipUtil class does not detect filenames within zip files by default, so directory traversal can occur when unzipping a zip file using Hutool’s default unzip functions and failing to validate the file data within the zip file.
This vulnerability affects Hutool < version 4.1.12.
Reproduction
1. Construct a malicious Zip file
Renaming a file to ../ under Windows will prompt that the / character cannot be included. so use the Python script to make a malicious zip file.
The code will compress two files into a zip file with filenames like ../../../../etc/passwd, ../index.html.
2. Decompresses compressed files using the hutool component’s unzip function.
3. Results
After checking the results, we can find that the previous /etc/passwd, with /var/www/html/index.html, has been overwritten.
Technical Analysis
As you can see from the reappear just now, this vulnerability is a standard Zip Slip vulnerability and exists in several language ecosystems such as JavaScript, Ruby,. NET, Go and others.
This vulnerability can achieve the effect of overwriting arbitrary file with improperly set permissions.
For example, overwriting some sensitive files such as /etc/passwd or ssh connection private keys, which may result in the server being remotely controlled, and may also result in remote command execution under certain circumstances.
The details are as follows:
1. Attackers uploading malicious zip files;
2. The code to unzip the file has the Zip Slip vulnerability;
3. The executable file inside the zip file overwrites the executable file in the parent directory;
4. Attackers can call files remotely or wait for the system to call them;
5. Malicious files are executed;
The reason for this vulnerability is that when its unzip function in ZipUtil.class:line 203, outItemFile = new File(outFile, zipEntry.getName()); Get the FileName of the compressed file directly from zipEntry and create a File object without filtering the resulting FileName.
Fix
There are several ways to fix the vulnerabilitie:
1. Upgrade Hutool to version 4.1.12
The fix principle is by replacing the original File object with a new FileUtil.
The checkSlip function will be called when creating the File object, which eliminates path redundancy and symbolic links by getting the canonical path of the incoming file, and then checks whether the canonical path of file starts with the canonical path of parentFile; if not, then file is not in the parentFile directory and an exception will be thrown; if it is, then returns file itself.
This is a security check to ensure that the file is in the specified parent directory and to prevent out-of-bounds access.
This fix can be accomplished by modifying the package management files (pom.xml, build.gradle) and subsequently rebuilding the project.
2. Manually modify the source code
The first fix checks the filename within the extracted file, so it is also possible to avoid the vulnerability by implementing the relevant checking code yourself. The essence of this fix is the code Patch.
The fix can be achieved by downloading the component source code and manually applying patches to achieve fixes, without upgrading the component as a whole to ensure that the rest of the project is not affected.
3. Access Control
This fix prevents Zip Slid attacks by performing the unpacking operation as a less privileged user, restricting their access to sensitive directories and sensitive files.
