8

Let's say I have a "corrupted" zip file from a potentially suspicious source, and that at least one person has attempted to extract it. Conventional wisdom used to be that bad stuff™ didn't happen from unzipping a file, but could from interpreting the zipped files it contained. Clearly that isn't true for some versions of 7-Zip, one of which was used1 for the failed extraction.

How can I tell if this particular zip file is booby trapped?

I think it ought to be possible to edit the source of an old version of 7-Zip and write some error handling around the exploitable portions to alert you of a heap overflow and (if desired) dump the subsequent data into a raw file.

1 As I understand it, p7zip is the backend for Keka which hasn't been updated in years.

Michael
  • 2,391
  • 2
  • 19
  • 36
  • Couldn't you try unzipping it in a Sandbox like a VirtualBox VM running Linux? – Paradox Jun 29 '16 at 19:11
  • Scan it with an updated antivirus program? I don't know if they catch something like that, but it sounds likely. – Anders Jun 29 '16 at 19:12
  • @Anders Perhaps in the sandbox, download an infected file online then test out the virus scanner (clamav?) If it catches it, then there you go. Of course the best protection is to keep up to date for this one (Version.16.0) – Paradox Jun 29 '16 at 19:14
  • Your proposed solution is correct. Edit the 7-Zip source or create a program replicating the steps taken when 7-Zip extracts the file and add proper error checking so it will tell you if the file is malicious and tries to exploit something. – André Borie Jul 08 '16 at 19:39

2 Answers2

1

You cannot tell as an user because it's an exploit, not a virus.

CVE-2016-2335 is related to UDF file format interpretation, while CVE-2016-2334 is a heap overflow related to the handling of Zlib files. Such things would not at all be easy to exploit. Note that most archivers at a point have such exploits (i.e. CVE-2016-2347 for LHA), but most of the times they are not that dangerous. Exceptions exist, of course, here's a really dangerous one from winrar.

The problem was immediately fixed though, so currently there is no such problem in the latest version.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • I really don't see why the WinRAR exploit would be dangerous since it relies on executing a self-extracting file. If you get your user to execute code, why not let him execute the malicious code directly? No exploits needed. – André Borie Jul 08 '16 at 19:37
0

I would upload an affected file to VirusTotal, or any other service, that checks files against a number of AV Engines.

If ClamAV is among the successful detectors, download the portable version of that, and script something with the command-line version of it. Much fatter than a a little binary, but much faster to "procure".

Alex Stragies
  • 166
  • 1
  • 5
  • Why do you think that AV programs would detect a slightly corrupted zip file that leveraged a vulnerability in an old, unpatched zip application? – Neil Smithline Jul 11 '16 at 02:38