Critical .zip vulnerabilities? - Zip Slip and ZipperDown

How to become internet famous:
1. Find some random bug that could be a problem
2. Give it a fun logo and name
3. "Spread" the "knowledge"
BONUS: Sell software that "fixes" the problem

moth.monster

lifeoverflow... one of the few channels really worth enabling norifications

DangerousPictures

Had to lol at this branding and announcement it's a joke, what a farce.

I've literally used this vulnerability throughout my pentest career over the last decade. You're right it's ancient.

Nice video to summarise the farcical marketing nonsense.

lmaoroflcopter

What? A 30 years old piece of software has security vulnerabilities?

hrnekbezucha

I really liked that the video is not only about complaining. I had the same feelings when I read about this "discovery" and wasn't sure if it really something new or I was just reading it wrong. Really like the approach you did here - explanation, a bit of showing off but with a pinch of humor ;) Good one.

allthingsreversed

kind of brings me back to the first time I heard about zip bombs back in the early 2000s

crazy to think that _unpacked_ 42 . zip can actually fit on *SOME* peoples computers these days

jjppmm

Thanks man, you've officially just made me too paranoid to touch .zip archives!
😭😂
Great video, thanks for your efforts.

RobinCawthorne

This brings memories... I think I once discovered and exploited that trick many many years ago to break the "security" on my school's old PC/AT clones.

MoraFermi

Instant share!
I am just a student but i and my friends work on Servers so i have to tell them, it is more shocking that this knowen vulnerability is that old I never heard of it.
Also this is very important to consumer who are a target because zips should make their life easer!

Checker

Lol you always start off real simple but you hit the point that it gets complicated really quickly, and your just watching the video going yup, I'll get there one day

samuelhildebrandt

I must admit... I didn't expect it to be this obvious. For my home NAS I use tar.xz far long term storage, and I'm very well accustomed to the way file paths are handled. You always check for tar bombs and similar before you un-archive.

When they say tools usually don't let you make zip archives with ../ file paths and whatnot, I think it's because they're thinking of graphical tools though

casperes

I have done numerous ctf which was about this bug!! Nothin new I believe !!
Thanks to bring this forward :D

pwnweb

your videos kinda make me feel like the stuff that is used everyday and deemed pretty safe is actually the most dangerous, containing lots of hidden mechanisms that can be exploited by anyone who cares to do so :o

Almostbakerzero

After seeing this I think I can finally press that notification bell. Looking forward to more quality content in the future!

zakbrown

I also discovered this in 2013 and wrote about it then. I could overwrite the core PHP for WordPress from a malicious theme file zip with a directory traversal.

fission

Congrats on TARPit ;) (every vuln requires a cool name and a logo right?) Now get your marketing team on it! :D

lmaoroflcopter

Marketing driven technical solutions are very often a bunch of bullshit. Modern WebDev for example, every corp (Facebook, Google, Microsoft) wants to take a bite from the market, so they create horrible tools, spread marketing articles saying it is the future, but in reality it is just an expensive product, locking developers inside their tech, reinventing trivial things, but complexified. I LOVE THIS CHANNEL, every video I feel richer in my knowledge.

sentinelaenow

Ich mag deine videos echt. Richtig informativ, selbst wenn ich null ahnung von Python, C/Objective C/C++ hab. Dennoch. Alles zu wissen für die zukunft ist ein vorteil.

mempler

The good old bbs days. Love your vids keep up the work

opy

Gorgeous explanation. Love this channel, keep up the good work!

Hereson