15th May 2018

ZipperDown Vulnerability (Technical Report)

1. Introduction

While auditing iOS Apps from various customers, Pangu Lab noticed a common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected Apps. The problem is caused by the abusing of third-party unzip libraries, including SSZipArchive and ZipArchive. When using either of these 2 libraries to unzip a zip file, and the malformed filename or symbolic link enclosing in the zip file is not processed deliberately, a path traversal attack which lead to arbitrary file overwritten will pose the end-user in dangerous state. Query in our Janus platform reveals that 15,979 iOS Apps, including the most popular Apps, “weibo”, “momo”, “kwai”, “netease music” and “QQ music”  are vulnerable to this vulnerability.

2. Details for ZipperDown Vulnerability

Both of the third-party libraries, SSZipArchive and ZipArchive, do not process the “../” in a filename, related code is listed below.

Listing 1: ZipArchive does not process the malformed zip file.

Listing 2: SSZipArchive does not process the malformed zip file

Besides the third-party libraries, if the developer does not check the validation of a zip file in their code, attacker can overwrite any file within the sandbox by using a malformed zip file.

3. Attack scheme for ZipperDown

3.1 ZipperDown for iOS

Schemes for ZipperDown attack are collected but not limit to the following. 1) By using SNS App or Tool App, which accept a malformed zip file from attacker and use SSZipArchive or ZipArchive to process the file. 2) If the App downloads zip file via HTTP protocol, then uses SSZipArchive or ZipArchive to process the file, attacker can replace the benign zip file with the malicious one by Wi-Fi hijacking.

3.2 ZipperDown for Android

Compared to ZipperDown for iOS, the vulnerability is more severity for Android App. The differences between iOS and Android App are listed below.

1) Policy for sandboxing is different. For iOS App, all executable code should be signed and the code is resided in a random path directory. In this case, it’s hard for an attacker to predict the path containing executable code to overwrite. Moreover, even the attacker can successfully overwrite the binary file in this folder, sandboxing in iOS prevents the code execution for the unsigned binary. But there is no limitation for Android App.

2) Policy for data transfer is different. Apple has enforced all data should be transferred by HTTPS protocol, which is an obstacle for an attacker to replace a zip file with a malicious one. But this is easier for Android App.

3) Third-party libraries which lead to ZipperDown is different. For iOS App, the problem is caused by using SSZipArchive or ZipArchive. But in Android, the framework provides ZipEntry class for developer to unzip a zip file. As libraries for iOS, the ZipEntry class does not check the malformed zip file as well. Although we find third-party libraries for Android developer , Janus shows that few Apps use these libraries.

4. Mitigation

To mitigate the ZipperDown vulnerability, we suggest that, 1) Upgrade third-party library for unzipping a zip file to the latest version. You can follow this patch for details. 2) Check the integration of the file before processing, check the hash value for instance.

5. More

When coming across with this problem, we are shocked by the sheer volume of affected Apps. After a profound consideration, we decide to disclose this problem for both third-party library developer and App vendor. In order to help the vendor and protect the end-user, details for this vulnerability is not make public in our initial disclosure, and only the potentially vulnerable Apps are listed in ZipperDown web site. We hope to make connection with developer in this way. In the collaborative process, 283 mails are received for consulting this problem, and 260 mails in total are replied after we verified the mail sender. After all, we hope all iOS developers pay attention to this problem and remove threat posed to their Apps. For Android App, we also suggest that you should visit Janus to make sure your App is not in the list.