hpr_transcripts/hpr3183.txt

Episode: 3183
Title: HPR3183: Don't trust zipfiles
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3183/hpr3183.mp3
Transcribed: 2025-10-24 18:21:59

---

This is Hacker Public Radio Episode 3183 for Wednesday, 14 October 2020. Today's show is entitled,
Don't Trust Zipfiles
and is part of the series' Privacy and Security. It is hosted by Cedric DeVroey
and is about five minutes long
and carries a clean flag. The summary is,
Zipfiles can contain all kinds of evilness and unpacking them can lead to unexpected results.
This episode of HPR is brought to you by An Honesthost.com. Get 15% discount on all shared hosting
with the offer code HPR15. That's HPR15.
Better web hosting that's Honest and Fair at An Honesthost.com
.
.
.
Hello Hacker's around the world. My name is Cedric and I'm here again with another story
on ventesting and cybersecurity straight from the trenches. This time I'm going to talk about
a hack we did fairly recently actually today. I said straight from the trenches.
What happened is that we owned our clients' entire system by a full source disclosure
as we call this. What happened? We found the vulnerability in their web application, a fairly serious one.
And I'm going to explain about the technicalities.
So what actually happened in this web application?
You have a function to upload files and not just any files, it accepts Zipfiles
and it allows you to unzip those files on the server.
Now what a lot of people don't know about is that on Linux you have this concept of symbolic links.
And symbolic links are actually like Windows shortcuts. They point to another file.
Now what a lot of people don't know is that you can actually put these symbolic links in a zip file.
They will not, the zip file won't contain the actual file, it will contain the reference, the link to the file.
So you already see this coming. What you can do is create a link to dot dot slash dot dot slash dot dot slash dot dot slash dot dot
dot dot. Do this 100 times if you want slash ETC slash password, which contains your entire login register.
So that's what I did. I created a simlink to the ETC password file with some directory traversal injected.
Then I zipped this simlink and I uploaded this zip file to our target.
And since our target had a function to unzip file, I did that.
And guess what happened? If I clicked the unzipped file link, yes, you understand.
I downloaded it. Our clients ETC password containing all their logins.
So what did we learn? Don't trust zip files. Don't just trust any zip files.
You always need to check each and every file in there for threats.
And one of those threats is actually sim linking to other files on your system, especially in the context of a web application.
Thanks for listening. I hope you enjoyed. If you want to reach out to me, you can.
I'm on Twitter, LinkedIn and Facebook. And you can use the comment sections on hacker public grade video.
I also want to thank some people, the people from all wasp, the great organizations that bundles all kinds of knowledge on pen testing and cybersecurity and also develops a whole bunch of tools,
especially the all wasp set attack proxy. That's such a great tool.
If you think perpsuite is not your thing, especially the license, then all wasp set attack proxy.
It's a man in the middle proxy. We use it all the time. It's great. It's fantastic software. It really works very well.
And I also want to thank the people from Odacity who actually create a software with which I record this podcast.
Thanks for listening. See you next time. Bye!
You've been listening to hacker public radio at hackerpublicradio.org.
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show, like all our shows, was contributed by an hbr listener like yourself.
If you ever thought of recording a podcast, then click on our contribute link to find out how easy it really is.
Hacker public radio was founded by the digital dog pound and the infonomicon computer club and is part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself.
Today's show is released under creative comments, attribution, share a like, 3.0 license.
Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-26 10:54:13 +00:00			`Episode: 3183`
			`Title: HPR3183: Don't trust zipfiles`
			`Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3183/hpr3183.mp3`
			`Transcribed: 2025-10-24 18:21:59`

			`---`

			`This is Hacker Public Radio Episode 3183 for Wednesday, 14 October 2020. Today's show is entitled,`
			`Don't Trust Zipfiles`
			`and is part of the series' Privacy and Security. It is hosted by Cedric DeVroey`
			`and is about five minutes long`
			`and carries a clean flag. The summary is,`
			`Zipfiles can contain all kinds of evilness and unpacking them can lead to unexpected results.`
			`This episode of HPR is brought to you by An Honesthost.com. Get 15% discount on all shared hosting`
			`with the offer code HPR15. That's HPR15.`
			`Better web hosting that's Honest and Fair at An Honesthost.com`
			`.`
			`.`
			`.`
			`Hello Hacker's around the world. My name is Cedric and I'm here again with another story`
			`on ventesting and cybersecurity straight from the trenches. This time I'm going to talk about`
			`a hack we did fairly recently actually today. I said straight from the trenches.`
			`What happened is that we owned our clients' entire system by a full source disclosure`
			`as we call this. What happened? We found the vulnerability in their web application, a fairly serious one.`
			`And I'm going to explain about the technicalities.`
			`So what actually happened in this web application?`
			`You have a function to upload files and not just any files, it accepts Zipfiles`
			`and it allows you to unzip those files on the server.`
			`Now what a lot of people don't know about is that on Linux you have this concept of symbolic links.`
			`And symbolic links are actually like Windows shortcuts. They point to another file.`
			`Now what a lot of people don't know is that you can actually put these symbolic links in a zip file.`
			`They will not, the zip file won't contain the actual file, it will contain the reference, the link to the file.`
			`So you already see this coming. What you can do is create a link to dot dot slash dot dot slash dot dot slash dot dot slash dot dot`
			`dot dot. Do this 100 times if you want slash ETC slash password, which contains your entire login register.`
			`So that's what I did. I created a simlink to the ETC password file with some directory traversal injected.`
			`Then I zipped this simlink and I uploaded this zip file to our target.`
			`And since our target had a function to unzip file, I did that.`
			`And guess what happened? If I clicked the unzipped file link, yes, you understand.`
			`I downloaded it. Our clients ETC password containing all their logins.`
			`So what did we learn? Don't trust zip files. Don't just trust any zip files.`
			`You always need to check each and every file in there for threats.`
			`And one of those threats is actually sim linking to other files on your system, especially in the context of a web application.`
			`Thanks for listening. I hope you enjoyed. If you want to reach out to me, you can.`
			`I'm on Twitter, LinkedIn and Facebook. And you can use the comment sections on hacker public grade video.`
			`I also want to thank some people, the people from all wasp, the great organizations that bundles all kinds of knowledge on pen testing and cybersecurity and also develops a whole bunch of tools,`
			`especially the all wasp set attack proxy. That's such a great tool.`
			`If you think perpsuite is not your thing, especially the license, then all wasp set attack proxy.`
			`It's a man in the middle proxy. We use it all the time. It's great. It's fantastic software. It really works very well.`
			`And I also want to thank the people from Odacity who actually create a software with which I record this podcast.`
			`Thanks for listening. See you next time. Bye!`
			`You've been listening to hacker public radio at hackerpublicradio.org.`
			`We are a community podcast network that releases shows every weekday Monday through Friday.`
			`Today's show, like all our shows, was contributed by an hbr listener like yourself.`
			`If you ever thought of recording a podcast, then click on our contribute link to find out how easy it really is.`
			`Hacker public radio was founded by the digital dog pound and the infonomicon computer club and is part of the binary revolution at binrev.com.`
			`If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself.`
			`Today's show is released under creative comments, attribution, share a like, 3.0 license.`