CYBER SECURITY

Zip Bomb

November 15, 2020
VINAY CHANDEL
3 Comments
A zip bomb, also known as a zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software, in order to create an opening for more traditional viruses.

Rather than hijacking the normal operation of the program, a zip bomb allows the program to work as intended, but the archive is crafted so that unpacking it (e.g., by a virus scanner in order to scan for viruses) requires inordinate amounts of time, disk space or memory.
Most modern antivirus programs can detect whether a file is a zip bomb, to avoid unpacking it.

HOW A ZIP BOMB WORKS

The “classic” Zip format has a 4-byte field for the uncompressed file size. That sets the maximum file size to 4 gigabytes (2 gigabytes if it’s interpreted as a signed number). The field could lie about the amount of uncompressed data; whether the file would keep expanding beyond 4 gigabytes depends on the software. The newer Zip64 format allows a file size of 2^64 bytes, which is infinite for all practical purposes.
Zip files can use a variety of compression algorithms. The most popular one is called “Deflate,” and it has a maximum compression ratio of 1032:1. This is the result of having a maximum run length of 258 bytes. Fifield gets around this with techniques which are very sneaky but follow the Deflate specification.
The bomb contains a very large number of compressed files, and it overlaps files in the Zip container. A Zip file indexes its compressed files in a central directory, which contains an offset to the local file header and compressed data. Nothing stops multiple entries in the central directory from pointing at the same data. But Fifield goes one better, having data serve as both a local file header for one file and file data for another. I still haven’t grokked all the tricks; read his article for yourself.

PROTECTION AGAINST (AND WITH) ZIP BOMBS

Some compression/decompression libraries include checking against Zip bombs. They can prevent runaway expansion from filling up a drive, but they may be prone to false positives.
Some people have suggested that a Zip bomb could defend a website. The idea is simply to send one if the user agent appears to be malicious. It might slow down an attacker, but it’s not hard to evade. If the hosting site does legitimate vulnerability scans, it might play havoc with them. 
A use of good Premium antivirus can also prevent from Zip bomb.
Zip bombs aren’t going to be at the top of anyone’s list of worries, but they’re an interesting curiosity. Without breaking any rules, the simple expansion of a moderate-sized compressed file can fill up the largest disk drive. It’s a reminder that every complex file format can do strange things if you push its rules hard enough.

Source:

3 thoughts on “Zip Bomb

Leave a Reply

Your email address will not be published. Required fields are marked *