Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to solve the ZipperDown loophole". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to solve the ZipperDown loophole.

Attack conditions for ZipperDown security vulnerabilities:

1. App uses ZipArchive

2. One of the zip packets issued by App is not encrypted, nor is the zip packet encrypted.

3. App uses JSPatch or other execution engines, and the local script is not encrypted. As long as the script is placed in the specified directory, it can be executed without validating the local script.

4. Users connect unreliable WIFI hotspots for network communication

Evasion methods for this vulnerability; developers' own evasion methods:

1. Fix the SSZipArchive library and intercept the ".. /" string that may cause directory traversal in the unzipFileAtPath decompression function.

2. When the client communicates with the server, the HTTPS secure transfer protocol is used to ensure that the data in the interaction between APP and the server is encrypted by HTTPS protocol.

3. Encrypt the zip package files downloaded by APP during transmission, and verify the integrity and validity of the zip package on the client side to prevent it from being replaced.

4. Encrypt the local script in APP, and verify the integrity and validity of the local script to prevent it from being replaced

Extension: ZipperDown is not a new vulnerability, but a "very classic security issue". Its impact mainly depends on the specific App and the permissions it acquires, and a similar vulnerability "file directory traversal vulnerability" has also been found on the Android platform.

With regard to the file directory traversal vulnerability, the prerequisite for the vulnerability is:

Use unzipped files in Android applications, such as dynamic loading mechanism, download apk/zip, and then decompress locally

Cause of loophole

Because there is no restriction on the file name when the ZipOutputStream class compresses the file, if the downloaded zip package is maliciously intercepted and modified, the file name can be named ".. / data/data/xxx.xxx.x/xxx", because Android is based on the Linux system, and in the Linux system.. / this symbol represents a return to the upper directory, so you can get a few more of this symbol here. This will go back to the root directory of the Android system, and then write a file in the sandboxie directory of the current application.

Risks of ZipperDown vulnerabilities

Through this vulnerability, an attacker can destroy application data, obtain user privacy data and even obtain the ability to execute arbitrary code.

Circumvention measures; developers' own evasion methods:

1. When decompressing ZipEntry, filter the files with special characters, or extract them to the point that the local file name cannot contain special characters.

2. When the client communicates with the server, the HTTPS secure transfer protocol is used to ensure that the data in the interaction between APP and the server is encrypted by HTTPS protocol.

3. Encrypt the zip package files downloaded by APP during transmission, and verify the integrity and validity of the zip package on the client side to prevent it from being replaced.

Love encryption security solution

1. Love encryption provides an evaluation scheme for this vulnerability to detect whether this vulnerability exists in App.

2. Encrypt SDK using Ai encryption protocol, encrypt the data in the communication process, and ensure that the data is not tampered with.

User security solution

Do not use uncertified WIFI hotspots and update the App on your phone in a timely manner.

At this point, I believe you have a deeper understanding of "how to solve ZipperDown loopholes". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.