CVE-2018-1002206
Path Traversal vulnerability in SharpCompress (NuGet)
What is CVE-2018-1002206 About?
CVE-2018-1002206 describes a path traversal vulnerability in SharpCompress versions prior to 0.21. This flaw allows an attacker to write files to arbitrary locations on a system during archive extraction, potentially leading to system compromise or data overwrites. While no exploit is publicly known, the underlying mechanism suggests it could be exploited with crafted archive files.
Affected Software
Technical Details
The vulnerability stems from improper validation of file paths within archives processed by SharpCompress. When extracting an archive, SharpCompress fails to adequately sanitize or normalize filenames that contain directory traversal sequences (e.g., '..' or '../'). An attacker can craft an archive (e.g., ZIP, RAR) containing malicious filenames that, when extracted, cause files to be written outside the intended extraction directory. For instance, a file named '....\windows\system32\malicious.dll' could be written to the 'system32' directory if extracted with insufficient path validation, leading to arbitrary file write capabilities.
What is the Impact of CVE-2018-1002206?
Successful exploitation may allow attackers to write arbitrary files to sensitive locations on the file system, potentially leading to system compromise, data corruption, or denial of service.
What is the Exploitability of CVE-2018-1002206?
Exploiting this vulnerability typically involves crafting a malicious archive file containing specially constructed filenames with directory traversal sequences. The attacker would then need to entice a legitimate user or an automated system to extract this archive using the vulnerable SharpCompress library. There are no specific authentication or privilege requirements for the attack itself beyond the ability to provide a malicious archive for processing. The complexity lies in ensuring the target system extracts the file and that the chosen target path is writable and useful for the attacker. The attack is primarily remote, as the crafted archive can be delivered via various means (e.g., email, compromised website).
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1002206?
About the Fix from Resolved Security
The patch prevents directory traversal attacks by ensuring that file extraction paths are normalized and validated to remain strictly within the designated extraction directory, throwing an exception if a crafted archive entry attempts to escape it. This directly fixes CVE-2018-1002206, which was exploitable via “Zip Slip” by including ../ sequences in file paths, allowing attackers to overwrite arbitrary files outside the extraction location.
Available Upgrade Options
- SharpCompress
- <0.21.0 → Upgrade to 0.21.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/adamhathcock/sharpcompress/commit/80ceb1c375fdb1b4ffba16528c99089e804ce61f
- https://github.com/snyk/zip-slip-vulnerability
- https://snyk.io/vuln/SNYK-DOTNET-SHARPCOMPRESS-60246
- https://github.com/adamhathcock/sharpcompress/commit/42b1205fb435de523e6ef8ac5b7bafbe712997f6
- https://snyk.io/research/zip-slip-vulnerability
- https://github.com/adamhathcock/sharpcompress/pull/374
- https://osv.dev/vulnerability/GHSA-fxh6-w476-hgr4
What are Similar Vulnerabilities to CVE-2018-1002206?
Similar Vulnerabilities: CVE-2021-42340 , CVE-2022-24765 , CVE-2020-28052 , CVE-2019-12290 , CVE-2023-4581
