alt Hacker NewsThe described exploit seems theoretical. In order to create the schizophrenic ZIP, the attacker would have to figure out what ZIP stacks are being used and ensure they act differently - if the 2 departments use the same stack, then the exploit can't work, can it?
Replies
It's not unlikely that devs and such will be on Mac/Linux and accounting will be on Windows. I agree it's still somewhat theoretical but interesting nonetheless.
Check out CVE-2017-13156 which is a real exploit that leveraged differences in zip parsing to bypass a signature scheme.
A more realistic attack would be something like, slipping a malicious payload past a scanner by emailing a zip file that appears innocent when unpacked with the scanner’s zip implementation but produces malware when unpacked with the email client’s implementation. There’s a decent chance they’ll be different, and it wouldn’t be too hard to guess which ones a target might be using.
Like spam, the exploit would still be profitable if only a small fraction worked.
None of this stuff is theoretical. It's just old.
There was a time when passing ZIP files around was a very popular method of software distribution, and things like this were gotchas that had to be watched for. It was widely known, at least amongst sysops, that the varied toolsets that handled ZIP archives were functionally different. And there were scanners and sanity checkers, and bugfixes to PKUNZIP, that dealt in this stuff for uploaded files and FREQ responses.
Did people exploit the differences? Yes. Although it was mainly on the level of creating prank ZIP files on non-Microsoft operating systems with 8.3 filenames such as "PRN" or "CLOCK$".
* https://groups.google.com/g/alt.comp.virus/c/zLV-Y2a71gs/m/U...
However, the truly terrible idea of self-extracting archives was popular, which meant that archives with "interesting" arrangements of the archive within the overall file were widespread. ZIP comments were also liberally applied and altered by pretty much every BBS that passed an archive along. And the Unix people wanted to be able to use pipes, something that the MS-DOS original never had to cater for.
Also, there were people who exploited the fact that different tools took different things as gospel. Even within the past decade one can find people still being caught out by the fact that there's a header field that instructs what the pathname separator character(s) used are; and that ZIP tools that expect non-seekable streams operate differently to ZIP tools that expect seekable regular files.