Copy Link
Add to Bookmark
Report

NULL mag Issue 03 14 Ghosts from the past

eZine's profile picture
Published in 
null magazine
 · 26 Dec 2020

  

|08written by xqtr of another droid bbs ! andr01d.zapto.org:9999|07

have you heard of zipslip vulnerability? no? read the following paragraph from
the company claiming to find this vulnerability. note the date! ;)

https://snyk.io/research/zip-slip-vulnerability
Zip Slip is a widespread arbitrary file overwrite critical vulnerability,
which typically results in remote command execution. It was discovered and
responsibly disclosed by the Snyk Security team ahead of a public disclosure
on 5th June 2018, and affects thousands of projects, including ones from HP,
Amazon, Apache, Pivotal and many more (CVEs and full list here) . Of course,
this type of vulnerability has existed before, but recently it has manifested
itself in a much larger number of projects and libraries.

The vulnerability is exploited using a specially crafted archive that holds
directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability
can affect numerous archive formats, including tar, jar, war, cpio, apk, rar
and 7z.

so... it seems that this slipzip vuln. is a big thing and we must thank snyk
that saved as... :O but before thank them... go grab issue 34 of phrack
magazine and read article #5, technique #3

http://phrack.org/issues/34/5.html#article

do you find any resembles? :) actually its the same thing! an attack that
dates from 1991 and was meant to hurt wwiv boards, is still open/active and
can be used to attack modern systems like iphones, java apps and more! the
tragic thing about, is that the above company thinks, that they found it
first... hahahahaa :`````)

the attack is very simple and you only need to create a zip archive and a hex
editor. i tried it in a mystic bbs (mine), but thankfuly it didn't work. if
you want to try it your self, follow the guide at phrack mag. if you read
the tutorials about hex editing, from null magazine, you should be able to
do it :)

if you don't learn history, then history has a funny way to repeat its self.
do you agree?

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT