CVE-2022-21675 in Bytecode Viewerinfo

Summary

by MITRE • 01/12/2022

Bytecode Viewer (BCV) is a Java/Android reverse engineering suite. Versions of the package prior to 2.11.0 are vulnerable to Arbitrary File Write via Archive Extraction (AKA "Zip Slip"). The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The Zip Slip vulnerability can affect numerous archive formats, including zip, jar, tar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The impact of a Zip Slip vulnerability would allow an attacker to create or overwrite existing files on the filesystem. In the context of a web application, a web shell could be placed within the application directory to achieve code execution. All users should upgrade to BCV v2.11.0 when possible to receive a patch. There are no recommended workarounds aside from upgrading.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 01/15/2022

The vulnerability identified as CVE-2022-21675 affects Bytecode Viewer version 2.11.0 and earlier, representing a critical security flaw in Java and Android reverse engineering tools. This vulnerability stems from improper handling of archive file extraction processes, specifically allowing directory traversal attacks through maliciously crafted archive files. The flaw enables attackers to manipulate file paths during decompression operations, potentially leading to arbitrary file system modifications. The affected software processes archive contents without adequate validation of file paths, creating an avenue for malicious actors to write files outside intended directories. This issue particularly impacts applications that handle user-supplied archives, making it a significant concern for software that processes external inputs.

The technical implementation of this vulnerability follows the classic Zip Slip exploitation pattern where attacker-controlled archive files contain filenames with directory traversal sequences such as ../../evil.exe. When the application extracts these archives without proper path sanitization, the decompression process creates files at unintended locations within the file system. This flaw operates across multiple archive formats including zip, jar, tar, war, cpio, apk, rar, and 7z, demonstrating the widespread nature of the vulnerability. The underlying cause aligns with CWE-22 - Improper Limitation of a Pathname to a Restricted Directory, which specifically addresses insufficient validation of file paths during file operations. The vulnerability can be exploited by attackers who craft malicious archives containing relative path traversal sequences that bypass normal file system access controls.

The operational impact of CVE-2022-21675 extends beyond simple file system manipulation to potentially enable complete system compromise. Attackers can leverage this vulnerability to overwrite executable files, inject malicious code, or deploy web shells within application directories. When the vulnerable Bytecode Viewer processes malicious archives, it can create or modify files that will be executed by the system or user, achieving remote code execution capabilities. This vulnerability particularly affects environments where users can upload or process external archives, as it allows attackers to modify critical system files or application components. The exploitation chain typically involves creating a malicious archive with traversal sequences, uploading or providing it to the vulnerable application, and then executing the resulting malicious files. The impact is especially severe in web application contexts where such vulnerabilities can lead to complete system compromise and persistent backdoor access.

Organizations and users should immediately upgrade to Bytecode Viewer version 2.11.0 or later to remediate this vulnerability, as no effective workarounds exist for this specific flaw. The patch implemented in version 2.11.0 addresses the core issue by introducing proper path validation during archive extraction processes, ensuring that file paths are properly sanitized before file system operations occur. Security practitioners should consider implementing additional monitoring and validation measures for any applications that process external archives, including logging archive extraction activities and implementing file path validation checks. This vulnerability demonstrates the importance of proper input validation in file handling operations and aligns with ATT&CK technique T1059.007 - Command and Scripting Interpreter: Python, which covers similar exploitation patterns in software that processes external inputs. The remediation approach should include comprehensive testing of archive processing functionality to ensure that path traversal sequences are properly rejected and that all file system operations occur within intended directories.

Responsible

GitHub, Inc.

Reservation

11/16/2021

Disclosure

01/12/2022

Moderation

accepted

CPE

ready

EPSS

0.02544

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!