ZIP Bombs 💣😈
Make your storage explode 💥
A zip bomb is a zip file that is designed to take an enormous amount of space once it is unpacked. The best-known one is called 42.zip and has a size of 42kB. It contains recursively nested zip-files. On the lowest level, there is a single file which decompresses to a size of 4.3GB . This file is added in total over a million times to the archive, leading to a total unpacked size of 4.5PB . This is well over the size of any available storage system.
Zip bombs are a form of decompression bomb. Decompression bombs are compressed files which extract to a crazy file size. Decompression bombs are a form of denial-of-service attacks.
Unpacking such an archive can lead in various systems to problems which are all connected to running either out of memory or out of disk space. For example, an anti-virus scanner might unpack the ZIP file and thus get killed due to memory exhaustion. A backend server might fill up its disk and no longer be able to operate.
How to create a ZIP bomb
The simplest ZIP bombs are super easy to create. You can simply use the packages found within Python:
import os
from tempfile import mkstemp
from zipfile import ZIP_LZMA, ZipFiledef create_txt_file(size_in_byte) -> str:
handle, filepath = mkstemp(suffix=".txt", prefix="zip-txt-")
os.close(handle)
with open(filepath, "w") as fp:
fp.write("0" * size_in_byte)
return filepathdef create_zipbomb(inner_file_size=10 ** 6, nb_inner_files=10):
filepath = create_txt_file(size_in_byte=inner_file_size)
with ZipFile("zipbomb.zip", "w", ZIP_LZMA) as myzip:
for i in range(nb_inner_files):
myzip.write(filepath, f"{i}.txt")
print(i)
os.remove(filepath)if __name__ == "__main__":
create_zipbomb(inner_file_size=10 ** 9, nb_inner_files=10)David Fifield also proved that it’s possible to create a zip bomb with has 42MB and extracts to 4.5PB in a non-recursive way (source).
There are also quines for ZIP files. A quine is a program that produces its source code as output. A ZIP-quine contains itself when uncompressed. One well-known one is droste.zip (source), but there are more (source).
You might also be able to create them manually by investigating the ZIP standard and crafting the file.
Should I be worried?
I wouldn’t be worried. As Travis Ormandy pointed out, 21 out of 58 anti-virus programs could detect the zip bomb. 6 timed out, 11 could not process the files and 20 thought the file is fine.
This article is more of a friendly reminder that this type of attack exists and that one should be careful when archives are unpacked.
I found this topic in a couple of places:
- 2005: bzip2 (CVE-2005–1260)
- 2009: Apache Tika (Safe parsing of droste.zip)
- 2018: Akka (CVE-2018–16131)
- 2019: Python (CVE-2019–9674)
- 2019: Info-ZIP (CVE-2019–13232)
- 2019: ClamAV (CVE-2019–12625)
- 2020: Wireshark (CVE-2020–25866)
Get the size of a ZIP file without extracting data
import zipfiledef get_extracted_size(filepath: str) -> int:
"""Get the extracted size in bytes."""
zp = zipfile.ZipFile(filepath)
return sum([zinfo.file_size for zinfo in zp.filelist])Simple enough, isn’t it?
The problem is that you can nest ZIP files. So the extracted files could again contain zipped files. If you apply recursion, you might want to have a maximum recursion depth and keep track of the used memory/disk space.
The State of AV Software
I was curious to know if anti-virus software can detect zip bombs. So I tested some and contacted some of the developers.
Virustotal
Virustotal offers a form where users can upload files and check the results of various programs. Here are the results for my test files:
- 42.zip: Only Fortinet detected it. 12 programs were unable to process it.
- dorste.zip: Avast, AVG, Cyren, Eset, Sophos, and Trend Micro detected it. 10 programs were unable to process the file.
- self-built.zip: Antiy-AVL, Baidu, MAX detected it. 7 timed out. 11 were unable to process it.
ClamAV
The first release of ClamAV was in 2001, it was developed by Cisco and is open-source now. I’ve installed ClamAV 0.102.4/25962 . I try it with the clamd binding:
import clamd
cd = clamd.ClamdUnixSocket()
cd.scan('/home/moose/bomb.zip')It gave the same output fordroste.zip , 42.zip , and my self-built.zip . None of them were detected.
Commercial AV Software
I’ve contacted Avast, AVG, ESET, Sophos, and Trend Micro via private Twitter messages. I’ve explained that I’m writing a blog post and that their product — according to VirusTotal — does not recognize the ZIP bombs.
TrendMicro sent me to their support site. I think I wrote them a support ticket, but due to the fact that this is just a web form and I don’t have any copy of that, I’m not sure. Those contact forms are super annoying and I gave up trying to ask the question.
Sophos redirected me to their support site. I have opened a case and I’m waiting for a response.
Avast gave me a brief answer, but it was super unclear to me what they are actually doing. I’m still trying to clarify.
AVG responded, but essentially told me that they try to find the answer to my question internally.
In contrast, the experience with ESET was extremely positive. I’ve got in contact with Thomas Uhlemann who could directly tell me what ESET is doing: They check archives until a depth of 10, meaning they can limit the effect of recursive packing. Additionally, they put limitations on the file size, memory usage, and the maximum amount of time for a scan. Apparently, the users can also adjust those limits. This information is also publicly documented.
What’s next?
In this series about application security (AppSec) we already explained some of the techniques of the attackers 😈 and also techniques of the defenders 😇:
- Part 1: SQL Injections 😈
- Part 2: Don’t leak Secrets 😇
- Part 3: Cross-Site Scripting (XSS) 😈
- Part 4: Password Hashing 😇
- Part 5: ZIP Bombs 😈
And this is about to come:
- CSRF 😈
- DOS 😈
- Credential Stuffing 😈
- Cryptojacking 😈
- Single-Sign-On 😇
- Two-Factor Authentication 😇
- Backups 😇
- Disk Encryption 😇
Let me know if you are interested in more articles! ([email protected])
