Decompression could give modern web apps a touch of the bends

Researchers have shown how it might be possible to reinvent an attack technique of the past – the ‘ZIP bomb’ – in order to confound and crash modern websites.

A ZIP bomb is a malicious archive designed to crash any program or system reading it.

The technique has been around for years, and was historically designed to tie up antivirus software as part of attacks designed to smuggle malware past security defenses.

Over time, security scanner developers got wise to the ruse and adapted their technology to thwart the approach.

Modern antivirus scanners have limits on how many layers of recursion are unpacked to guard against attacks that would tie up programs or exhaust the memory on host machines.

In many antivirus scanners, only a few layers of recursion are performed on archives to help prevent attacks that would cause a buffer overflow, an out-of-memory condition, or exceed an acceptable amount of program execution time.

Until recently, this might have been the end of the story for ZIP bombs, but researcher David Fifield has opened a new chapter on the technique by showing how more sophisticated ZIP bombs might be assembled.

Fifield’s research shows how it might be possible to create a “non-recursive ZIP bomb that achieves a high compression ratio by overlapping files inside the ZIP container”.

“Non-recursive” means that a malicious archive constructed using the technique doesn’t rely on nested ZIP files, instead expanding fully after only a single round of decompression.

In addition, the output size increases quadratically in the input size, reaching a compression ratio of over 28 million. This equated to a 10 MB file expanding to 281 TB, at the limits of the ZIP format.

“The construction uses only the most common compression algorithm, DEFLATE, and is compatible with most ZIP parsers,” Fifield explains in a paper on the technique, entitled ‘A Better ZIP Bomb’ (PDF).

The research was presented at the recent WOOT ’19 USENIX workshop.

Websites often let users upload collections of files as ZIPs. In addition, many common file formats are actually ZIP, such as .docx and .jar.

That means that an attack technique historically used against antivirus software might have implications for website developers because it might be harnessed in attacks on modern web apps.

And just because something can handle a classic ZIP bomb, this doesn’t mean it can thwart this new approach – as evidenced by the recent discovery that the open source ClamAV antivirus software was vulnerable to Fifield’s technique.

RELATED Ancient technique tears a hole through modern web stacks at Black Hat 2019