ZipperDown vulnerability, hype or imminent-vulnerability warning-the black bar safety net

ID MYHACK58:62201890308
Type myhack58
Reporter 佚名
Modified 2018-05-29T00:00:00


! One, overview Recently, ZipperDown vulnerability is disclosed, the vulnerability affects Android and iOS two platform, including the iOS app market up to 10%of the application the vulnerability exists, and no shortage of many popular applications, triggering the industry's strong reaction. Security Mobile Security the first time to start on the vulnerability of the emergency response, hope that objective and impartial reflect the payment industry impact. Research found that the vulnerability is due to the developers not the compressed package decompression path validation, an attacker by constructing a malicious compressed packets for path traversal attacks, and in the industry there are more than 3 percent of applications the presence of the vulnerability. However, the vulnerability of the real impact also need the specific combination of application business investigation, should not be overstated, more should not be overlooked, security Mobile Security will provide free technical support together with relevant parties to jointly conduct a safety investigation, the risk is minimized. Second, the vulnerability of early warning description Zip compressed package path through the brief description The Zip archive is a common compression file formats, Zip compression package support package the file name of the file containing the parent path. As shown, the compressed package update. the zip contains a file libpay. so, but the path to the file is“......\”, When the file is decompressed, if not dealt with accordingly, then the file will be decompressed to the appropriate parent directory, the realization of the path traversal, i.e., the real after decompression, the path for the[expected unzip location]......\ libpay. so, through the current expected decompression position, to reach the attacker wants to construct any path. ! “ZipperDown”vulnerability described Currently a large number of applications will read the zip compression package for related business, the most common scenario is downloaded from the server compressed package, resource, code hot update. Through the Zip compressed package path through the description above, if the attacker through technical means, such as a remote hijacking or local replacement and other ways of application of the load of the zip archive to replace the presence of the path through the malicious compressed packet, and the application does not provide for extracting the file path determination, the attacker can correspond to resources used, code any modification, replacement, in order to achieve remote code hijacking and other high-risk operation, hazards of the application of business scenarios. The analysis found that“ZipperDown”vulnerability is an application-level vulnerabilities, and application if there is no unzip file to path traversal issues of protection, there is a“ZipperDown”vulnerability. “ZipperDown”the vulnerability of the payments industry, the impact of This ZipperDown vulnerability after the incident, security for mobile security the first time you start the vulnerability of the emergency response process, while the payment industry application to the initialsecurity testing, hope that objective and impartial reflect the vulnerability of the payments industry the actual impact. Currently, in the smart POS payment application, a non-payment applications as well as mobile phone payment applications, are found in some applications, the presence of ZipperDown vulnerability, although the smart POS application compared to the mobile application business scenario is relatively simple, but the results show there are still nearly 3 into the smart POS application there is a corresponding security risks. ! Security Mobile Security The study depth of analysis that the vulnerability of the real impact also need to be combined with the application's own business scene for further investigation, not simply a gross determination of the vulnerability will the real endanger the business scene. At the same time, a part of the application is due to the use of third-party libraries and the introduction of the vulnerability, its risk is also the need for further evaluation with third-party library developers to communicate. Third, the vulnerability principle analysis The lower figure for the presence of“ZipperDown”vulnerability of an application code sample. ! Can be found, when try to unzip, the zip package of the file, its path name may be there is a path through the problem. When the application is loaded there is a path through the malicious compressed package, due to the lack of the path of the check, so that the malicious compressed the contents of the package through a path crossing, and overwrite the original application files. To libpay. so, for example, an attacker build of the update. zip present in the path through the malicious run-time library libpay. so, after extracting replace the local original library file, it is successful in the current program insert a malicious runtime, then the implementation of theft, the business of hijacking and other operations. Fourth, the Fix recommends For“ZipperDown”Android high-risk vulnerability threat landscape, security days mobile Safety recommendations from the investigation and repair of both to start with, the first of the market operators of all applications for vulnerability detection and analysis, and then combined with the business scenario to further clarify the vulnerability of hazards and development of appropriate repair recommendations. Specific policy recommendations are as follows: step1: for the application market has been on the frame and the upper frame of the application, the need for application of the“ZipperDown”vulnerability special testing, to determine whether there is a “ZipperDown”vulnerability, to ensure source Safety. Security Mobile Security Free provides a Detection Tool and technical support. step2: for the presence of“ZipperDown”vulnerability of the application, requires a combination of business scenarios for further analysis to identify vulnerabilities hazards, and develop appropriate repair recommendations. Reference repair recommendations are as follows, developers can according to their own business needs, select the most suitable for their business strategy. ·The application in the loading an external zip compressed package, the need for the compressed package decompression path for verification. ! ·The application in the loading an external zip package, you can use the checksum mechanism to ensure the loading of the zip package is indeed legitimate zip, not to be replaced. Application download zip packet of the communication channel, using a secure communication channel to ensure there is no tampering, hijacking, replacement might be. In addition, for the third-party library is introduced and the resulting risk, the need for developers to collaborative third-party library developers to communicate together to develop repair programme. Security Mobile Security Free provide Advisory services and technical support, together with market operators, developers and third-party libraries developers together to solve“ZipperDown”vulnerability security risks. Five, summary zip file path crossing is not a new problem, has long been a security analyst to disclose, but has not caused the industry wide attention. This ZipperDown vulnerability broke, the disclosure of the relevant data description of the“safety is no small matter”, even a very small security risk, if not seriously treated, it may lead to serious security consequences. While third-party libraries cause ZipperDown vulnerability of the introduction, also shows that today security has not just a single issue, it requires ecology of the involved parties together hand in hand linkage, work together to build security ecology, to avoid the risk of introduced.

[1] [2] next