1

Let’s say there is a .zip file that contains either a virus, malware or something harmful for the computer.

The computer is running a Unix-like OS, e.g. Ubuntu 18.04.

Are there any security implications by only unpacking the contents of the .zip file?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Kevin C
  • 151
  • 6

1 Answers1

5

Yes, there can be.

The main risk with unpacking zips is that it overwrites an executable or config file. For example, if the zip contains a .bashrc and you extract it in your home directory then it could overwrite yours and the next time you log in, the attacker's code will run.

For a worst-case scenario, consider a webserver that open zip archives, maybe from user uploads, because unzip will run the the same privilege as the webserver process, likely being able to overwrite executables or config files belonging to the webserver. Hopefully the admin isn't sloppily running the webserver process as root.

There was a recent public vulnerability called Zip Slip which made this even worse: some unzipping tools were allowing filenames to contain .. within a zip archive, which makes this attack even more dangerous because a zip containing the following file will overwrite /bin/ls no matter where in your filesystem you're trying to extract it to:

../../../../../../../../../../../../../../../../../bin/ls

(or any other executable that the extracting process has permission to overwrite)

Proper zip extracting hygiene:

  1. If possible, check the authenticity of the zip archive before you extract it (you got it from somewhere trustworthy, checksum, signature, etc).
  2. If possible, avoid running unzip as root, that way system files can't be overwritten.
  3. If possible, unzip into a new clean directory so that, barring chroot exploits like Zip Slip above, there is nothing in that folder to overwrite.
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 2
    This only applies when the extraction is done as the root user. A regular user does not have write permissions on the mentioned binaries. – Jeroen Nov 17 '18 at 17:41
  • 2
    @Jeroen-ITNerdbox ... how about overwriting your `.bashrc` ? Also dangerous? – Mike Ounsworth Nov 17 '18 at 17:47
  • 1
    While this is true, it does not affect binaries as stated in your example. – Jeroen Nov 17 '18 at 19:03
  • I added a mention of `.bashrc`. is that what you wanted? – Mike Ounsworth Nov 17 '18 at 19:15
  • It's not so much that I wanted you to add something about .bashrc although that is a more realistic example. I was trying to make clear that as a regular user it is not common to sudo to root, extract a malicious zip archive that over writes existing binary files. – Jeroen Nov 17 '18 at 20:31
  • @Jeroen-ITNerdbox Fair, you probably don't do that manually very often, but have you ever done `sudo install.sh` where that thing then extracts an archive? Do you have a `/home/user/bin` on your path? The danger here is only limited by your creativity. – Mike Ounsworth Nov 17 '18 at 20:48
  • sudo should only be used where applicable. Personally, I will read the bash script (install.sh as you mentioned) before executing it. – Jeroen Nov 17 '18 at 20:54
  • @Jeroen-ITNerdbox I think you're missing the point. When I'm back at a computer, I'll restructure my answer to not mention sudo / root at all, since you seem to be stuck on that. – Mike Ounsworth Nov 17 '18 at 21:04