Shulou(Shulou.com)06/01 Report--

This article mainly analyzes the relevant knowledge points of the example analysis of iOS third-party decompression library 0-Day early warning, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to take a look, and follow the editor to learn more about the "sample analysis of iOS third-party decompression library 0-Day early warning".

0x00 background

On the evening of May 15, 2018, the Pangu team disclosed the ZipperDown vulnerability [1], in which the main third-party decompression library involved was ZipArchive [2]. Our team is mainly responsible for the security of iOS App in the company, so in order to accelerate the fix of the vulnerability, we wrote a patch for this vulnerability overnight and submitted the Pull Request to the official code base on the morning of the 16th. This patch mainly deals with relative paths and soft links in Zip packages. Due to time constraints, the patch does not consider interface compatibility issues, but as a reference to fix vulnerabilities, it already contains enough information.

Received email notification of Pull Request shutdown [4]:

One description is to the effect that there is little evidence that symbolic links in Zip cause security problems. So we construct a new PoC [5] to illustrate the path traversal vulnerability that exists in the ZipArchive library due to the lack of secure handling of soft links.

0x01 vulnerability description

The ZipArchive library does not safely handle soft links in Zip packages, and there is a path traversal vulnerability.

The construction method of Zip package:

First, add a soft link PDIR to the Zip file, pointing to.. /.

Then, add a file named: PDIR/XXX to the Zip.

In this way, when unzipping, the XXX file will be extracted to the directory pointed to by PDIR, and any level of traversal can be achieved by combining PDIR.

PoC address: https://github.com/Proteas/ZipArchive-Dir-Traversal-PoC

The effect of running PoC is as follows:

0x02 vulnerability harm

Like ZipperDown, path traversing itself can only cause file overwriting, but combined with other defects in App can result in remote arbitrary code execution.

On the "iOS third-party decompression library 0-Day early warning example analysis" is introduced here, more relevant content can search the previous article, hope to help you answer questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.