Zip Slip: a sneaky way to install malware using zip and other packing utilities

Originally published at: https://boingboing.net/2018/06/06/zip-slip.html

3 Likes

https://78.media.tumblr.com/5381c79dfe5a45f8773e21e0b8d439c4/tumblr_o3wvj1xW1b1v0jfsto1_1280.jpg

2 Likes

And crap like this is why, even after upgrading to all solid state storage, I continue to keep my OS and data on two different partitions.

2 Likes

When I read about this I was like “who unzips archives as root/admin?” and then I thought about it a minute and realized I’ve done it myself, even though I know better. D’OH!

This sounds a lot like what used to be called a silk wrapper attack. You present a useful product for download which includes a malware payload in an encrypted part of the compressed file.

There was a very memorable moment on Github some years ago (mostly retained at the Internet Archive, though it seems to have not retained the memes to which the thread inevitably escalated), wherein someone’s install script included the line

rm -rf /usr /lib/nvidia-current/xorg/xorg
instead of
rm -rf /usr/lib/nvidia-current/xorg/xorg

with rather predictable results. This particular attack does not strike me as so different.

On a related note, the great Mr. Chen wrote a bit on the amusing state of Windows zip support just recently:

2 Likes

The thing that struck me from that article was the below quote:

“On of the terms of the license is that the compression and decompression code for Zip folders should be tied to UI actions and not be programmatically drivable. The main product for the company that provided the compression and decompression code is the compression and decompression code itself.”

Not only did a company with functionally unlimited resources voluntarily bake a 3rd party blob they were in a poor position to support into their OS, they knowingly did so under terms that explicitly required that the integration suck.

Was there a really hot patent preventing a reimplentation of zip support at that time? Team WinZip had Steve Ballmer’s favorite cat hostage? Why would you take a deal like that for such a relatively simple feature?

3 Likes

I got his book for Xmas! A limited audience, to be sure, but I enjoyed it.

1 Like

Thanks for reminding me of the dreaded Click of Death.

1 Like

With all the multitudes of Zip programs floating around, I can’t recall that anyone else specifically tried to integrate Zip support in the Windows shell in quite the same way. Maybe it wasn’t patented, but was just such a bothersome problem that no one else ever figured it would be worth the headache of re-implementing.

(The product in question is DynaZip, if I’m not mistaken.)

1 Like

Whether you use relative paths or absolute paths, a zip file can be made to replace system files. This isn’t a malware feature. It’s how the zip file utility is designed to work.

It’s kind of like discovering that the XCOPY command in a .BAT file can be used to overwrite system files.

2 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.