Bit7z Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability, commonly referred to as 'Zip Slip', has been identified in Bit7z, a cross-platform C++ static library for compressing and extracting archive files. This vulnerability exists in versions prior to 4.0.11 and arises from the library's inadequate validation of file paths in archive entries during extraction. As a result, files can be written outside the intended extraction directory through relative path traversal, absolute path traversal, and symbolic link traversal. An attacker can exploit this vulnerability by providing a malicious archive to any application that uses Bit7z to extract untrusted archives. Successful exploitation allows for arbitrary file writes with the privileges of the process performing the extraction, potentially overwriting application binaries, configuration files, or other sensitive data. While the vulnerability does not directly allow for reading file contents, it could lead to secondary confidentiality risks if extracted files are served or displayed by the application, due to attacker-created symbolic links.

Impact

Exploitation of this vulnerability allows for arbitrary file writes outside the intended extraction directory, with the potential to overwrite application binaries, configuration files, or other sensitive data. The vulnerability's integrity impact is high, as it allows for unauthorized modifications to files that could be critical to application functionality or security.

Reproduction

To reproduce this vulnerability, create a malicious ZIP archive that includes files with paths designed to exploit the traversal vulnerability. This can be done by adding files with relative path sequences that traverse up the directory structure, absolute paths that bypass the intended extraction directory, or symbolic links that reference paths outside the output directory. Once the archive is prepared, use an application that incorporates Bit7z to extract the contents of the archive. If the application does not validate the paths of the archive entries, the exploitation will succeed, resulting in the files being written to the specified locations outside the intended directory.

Remediation

Users can upgrade to Bit7z version 4.0.11, which addresses the vulnerability by improving path validation during extraction. If an immediate upgrade is not possible, the vulnerability can be mitigated by validating the destination paths of archive entries before writing them, using the 'BitArchiveReader' to read and check the paths. Additionally, extraction can be performed with minimal privileges and in a sandboxed directory to further reduce the risk.