How safe is it to decompress untrusted files with unrar-free? With unzip? I'm using debian jessie. What steps can be taken to minimize the threat while extracting the file's contents?
3 Answers
How safe is it to decompress untrusted files
Just looking at the CVE's for unzip you will find several possible code executions, modifying the permissions of existing files, overwriting arbitrary files outside the current directory....
The CVE list for unrar is shorter but includes also code execution.
What steps can be taken to minimize the threat while extracting the file's contents?
Any kind of privilege separation and sandboxing, i.e. virtual machines, chroot environment or containers, ... And of course have the latest patches.
There is actually nothing special about unzip and unrar - you should take the same care with any kind of potentially malicious files (which includes at least everything with suspicious origin).
- 184,332
- 29
- 363
- 424
-
+1, good point about the vulnerabilities of the zip utility itself – WoJ Nov 10 '15 at 17:31
Malicious payload contained in a file must be run so that it can be used. Merely deposing a file on a filesystem does not present a risk, provided that:
- there is no action triggered automatically once a file of a given type is discovered. This is usually done by graphical UIs which want to be smart and, for instance, generate thumbnails
- the
zip
file itself is not crafted in a way which will, for instance, create recursive directories until you run out of inodes (or other resources)
If you have doubts use a throwaway virtual machine without a GUI which you will snapshot after installation and run from that snapshot for sensitive operations.
- 8,957
- 2
- 32
- 51
-
Do zip or unrar formats allow any sort of code execution during extraction? Or are there likely to be execution vulnerabilities in these tools? – Aryeh Leib Taurog Nov 10 '15 at 11:52
-
-
Sorry, what am I supposed to see in the man page? That it doesn't mention code execution? – Aryeh Leib Taurog Nov 10 '15 at 12:09
-
Yes, that there is no mention of parameters for code execution (and there is no such functionality which would run by default) – WoJ Nov 10 '15 at 13:06
-
2However, if the unzip utility is itself flawed, then a sufficiently malicious malformed zip file could trigger that flaw and allow arbitrary code execution during the unzipping process. – Simon B Nov 10 '15 at 17:17
I suggest looking at the files size and content. Sometime in June 2015 my place of employment where I work as IT got hit by cryptoware. I was tasked with finding out where it came from and what it effected.
After a few hours I tracked it down to a single zip attachment on an email. It was just under 300 bytes. Double clicking the email cause it to inject code into the built in windows zip program which then downloaded the cryptoware and installed it from the users temp directory. This was a windows XP machine. I removed execution privileges from the temp folders and that fixed the issue. A few days ago we got another present in the mail but this time it errored out since it couldn't execute.
I would have to say that most if not all cryptoware and other little nasties are targeting windows exclusively. If you're using Linux you're probably fine. Just isolate the file first. I agree with Steffen Ullrich on that point.
On a side note, we didn't give in to terrorism. We brought the effected files back from backup. Always keep a good set of backups.
- 299
- 1
- 3