49

I ran a malware scanner on my site, and it marked a bunch of zipped EXE files as potential risk files (these files got uploaded by users). Since I'm able to uncompress the files on my Mac I assume these are real ZIP files and not just something like renamed PHP files.

So the ZIP file shouldn't be any risk for my web server, right?

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Xavin
  • 592
  • 4
  • 8
  • 1
    Sounds like a garbage malware scanner. – Nick T Dec 22 '16 at 21:34
  • 11
    You know you can test if they're in ZIP format with `file foo.zip`, or even test if they're valid with `7z t foo.zip` to test it (i.e. decompress and verify the CRC checksums, without extracting to local files on disk). (`7z` uses syntax somewhat similar to `tar`.) Or `unzip -l foo.zip` to list the contents. Anyway, I just thought it was weird that you talk about checking the files on another computer when you could have easily checked them on the server. – Peter Cordes Dec 23 '16 at 02:18
  • 6
    What kind of a website are you hosting? It doesn't sound like a good idea putting user-submitted content and your forward-facing web server on the same box. – oldmud0 Dec 23 '16 at 02:51
  • @NickT Self-extracting ZIP files could have additional malicious code attached to the executable portion. – chrylis -cautiouslyoptimistic- Dec 24 '16 at 06:23

8 Answers8

83

If they are indeed zipped Windows exe files, they should be harmless to your Linux system, unless you have something like Wine in place that could try to execute them.

But if they are in your web path, they could be malware and pose a big risk for your web sites' visitors (and you in turn, if you end up being marked as malware source and users get ugly warnings when they try to visit your site).

Sven
  • 97,248
  • 13
  • 177
  • 225
  • 3
    I wonder if hosting such "user" uploaded garbage can cause Google to brand your site as "This site may be hacked", or trigger Chrome display a giant red warning page. "Harmless" might be a bit of a misnomer then. – Nick T Dec 22 '16 at 21:36
  • 11
    @NickT: It most certainly can, and that's what I was referring to in my second paragraph. – Sven Dec 22 '16 at 21:39
  • 4
    In theory someone also could create malformed `.zip` files that try to target flaws in specific unzip implementations. – jamesdlin Dec 23 '16 at 02:48
  • 3
    Mono is more likely to be installed on a server than Wine, and can execute CLR .exe files. – Rhymoid Dec 25 '16 at 16:37
62

Since I'm able to uncompress the files on my mac I assume these are real zip files and not just something like renamed php files.

While you're probably right in this case, your assumption might not always hold. A ZIP archive remains valid even if you prepend arbitrary data to it, so it's quite possible to create a file that is simultaneously a valid ZIP archive containing innocent data and also a malicious PHP script. It's not even particularly hard; just concatenate the PHP code and the ZIP file, and make sure (e.g. using __halt_compiler()) that PHP won't try to parse the appended ZIP archive data.

This trick is legitimately used to create self-extracting ZIP files, but it's perfectly possible to prepend any other hidden data or executable code into a ZIP file in the same way. Some programs may refuse to open such modified ZIP files (but if so, they're technically violating the ZIP format spec), or they may identify the file as something other than a ZIP file by default, but generally, if you feed such a file into code that expects a ZIP file, it will probably be accepted as one.

A more common malicious use of such tricks is to disguise exploit code in a ZIP-based container (e.g. a JAR file) as something harmless (like a GIF image, as in the GIFAR exploit), but there's no reason it couldn't be used in the other direction too, e.g. to bypass a naïve file upload filter that forbids uploading PHP scripts but allows ZIP files, without checking if the uploaded file might be both at the same time.

Ilmari Karonen
  • 895
  • 5
  • 11
11

There are at least two notable considerations you should take into account:

  1. If these files are distributed on your website, you might be held responsible if someone gets malware from your site. In the very least your site could be flagged for malware. If you decide to ignore malware scanner warnings, you should at least notify the uploader and possible downloaders that the file might be harmful (as EXEs downloaded from the Internet sometimes are).
  2. Do you do any processing on these files other than the malware scan? Automatic processing of attachments or other such uploads is always potentially dangerous, because the file contents could be anything. You don't even need to execute the EXE file if your utility software is vulnerable to some exploit and the seemingly nice zip/exe contains harmful content targeting your utility. I wouldn't let my server process anything that fails malware scanning.

So, depending on what your server does the file could potentially be harmful for your server or other users. Since I'm quite wary of EXEs downloaded from the Internet, I'd say that possible downloaders are the most potential users at risk here.

2

You can check if the files happen to be runnable on your Linux server by simply checking them with file FILENAME.exe command. Elf binaries (the executable format used on Linux) can be named with .exe extension to confuse an unsuspecting Linux admin, so it's probably a good idea to make that check before blindly trusting that these files are not runnable.

grovkin
  • 121
  • 2
2

I'm surprised that no one mentioned that any data can happen to be (or be made to be) harmful to any (buggy) program. That's the basis of fuzzying. For example, you could have a JPEG (or JPEG-like) file that cause a buffer overflow on (specific?) JPEG decoders, causing anything from a denial of service to arbitrary code execution. This is about subverting an existing data-processing program; no need to bring in a new executable! And this is the reason why sandboxing, input sanitization and least-privilege principles are needed.

So, in your case, you could have a ZIP file causing problems on (specific?) ZIP-decoding engines. No need for the ZIP file to contain a native executable for it to be harmful.

Having said that, your scanner is working at another, coarser level. If the kind of risk I'm talking about existed in those files, you already got hit the moment you processed them :).

hmijail
  • 121
  • 8
1

Since I'm able to uncompress the files on my Mac I assume these are real ZIP files and not just something like renamed PHP files.

There have been attacks that embed data and still present files as valid. In a incorrectly configured server or in a incorrectly coded app, these could cause code to be executed in your server.

So, careful with that as well.

rubenvarela
  • 156
  • 2
0

An additional check you ideally should put in place is the php finfo method to check if the files being uploaded by the users are actually what you allowed, and not something that the users renamed the files just to fool the system.

Kanuj Bhatnagar
  • 131
  • 1
  • 7
-6

Unzipped .exe are also harmless for Linux servers.

  • 23
    Not necessarily so - `.exe` is nothing more then part of the file name and this might also be chosen as the name for an ELF binary. – Sven Dec 22 '16 at 16:25
  • Also, WINE might be installed. Granted, most Windows-targetting malware probably wouldn't work right under WINE, but the risk is present. At best, unzipped .exes on Linux are mostly harmless. – Ray Dec 23 '16 at 05:55
  • @Ray Depends on the configuration. If, for some reason, Mono or Wine are installed, then [binfmt_misc](https://en.wikipedia.org/wiki/Binfmt_misc#Common_usage) might be configured so that .exe is actually executable. – Rhymoid Dec 25 '16 at 16:37