Can a ZIP file auto-execute files from inside it?

2

1

I had a conversation today with a staff member of my e-mail hoster, because the hoster just blocked some mails of customers of me, because they contained ZIP files.

After I asked why the mails have been blocked, they replied that the customer had mailed me a executable zip file and because there are currently a lot of mails with trojans attached, all mails with executable zip files would be automaticaly blocked.

Altough I know that mailing executable zips is 99% surely a trojan, I was confused. A executable (self-extracting) ZIP archive would not be a *.zip file, but must be a *.exe file, right? I repied that to the staff and told him that - afaik - no operating system on the world would ever treat and execute a *.zip file directly as a program.

He replied that (without offence), I would have a great lack of information. I'm more or less translating from his german mail now: In different versions of ms-windows, a zip file will be directly displayed as a folder. In the current version of osX, a attached zip file will directly be extracted. In both cases, the zip file will be scanned for special headers with additional directives. Executable code stored there will be of course executed without asking the user for permission.

That. I was baffled. How is "displaying a list of contents of the archive" the same as extracting and executing stuff from the archive? Because he implies thats the case. And altough I think auto-extracting files like apple mail does is a absolute no-go, this would still not execute anything. Or does it? Does that guy know more about zip files than me after working with them since forever?

Christian Engel

Posted 2015-02-17T15:56:41.607

Reputation: 201

Possibly related: https://superuser.com/questions/239506/can-a-zip-file-be-executable

– FriendFX – 2016-12-20T03:30:45.187

This answer on SO seems to answer your question with "no": https://stackoverflow.com/a/10970425/897968

– FriendFX – 2016-12-20T05:55:16.467

Answers

1

Some thoughts. I agree with you, but can see why a service provider would choose to block .zip files. I can't find too much information on some of these, I will update if I find any more info.

  1. There is such a thing as a zip bomb.

  2. The ZIP file format supports various compression formats - specified as a 16-bit value. Many operating systems would load a library for that method to handle compression and decompression. It doesn't look like a custom one can be specified. Windows .hlp had a vulnerability like this where the .hlp file could contain a custom DLL for display purposes, but it doesn't look like this can be done with .zip.

  3. Windows Explorer will read certain *.ini files (and other ones depending on the Windows version IIRC) and possibly run programs based on them. Windows 98 let you do a lot with this, whereas I believe in later versions it is restricted. I can't find anytihng whether or not a Desktop.ini file in a zip archive will be processed by Explorer if opened. But this could be an attack vector.

  4. Technically ANY file opened by Windows that has a recognized extension launches a program. For .zip files by default that is explorer.exe, but could be another program if the user has installed a different ZIP application. If an attacker knows a user has WinZip, and is aware of a vulnerability of WinZip, the user could be targeted.

  5. SFX zips obviously can be malicious.

LawrenceC

Posted 2015-02-17T15:56:41.607

Reputation: 63 487

0

Windows has zip file execution, and its not just win9X and NT this exists even today with windows 7,8,10. This is a "feature" in windows until it is recognized as a vulnerability.

also, exe is just an extension. Windows looks at extensions to determine how to process files, but any file can be executable. (providing it contains executable code).

A popular development in zip file extraction and execution is to include a shell-script or java-script that has no inherently malicious code (so you virus scan passes it up while the thing is starting to run) then it downloads and executes the malicious code.

I uploaded some malicious scripts to Google yesterday, and even Google allowed the code to be sent, although it did flag it as potentially dangerous. (Google, in my opinion frequently has very decent security, so I wanted to test it.)

From what I can tell, MS doesn't think executable zip files is a vulnerability, its existence has been well known for Decades. There may or may not be a windows policy edit to allow or disallow zipped file execution by default, (looking for that is why I ended up on this page, if I find it, I'll let you know).

Other decompression utilities for windows know better than to execute code while decompressing a file. 7zip for example.

j0h

Posted 2015-02-17T15:56:41.607

Reputation: 918

2Can you specify this a bit more? Maybe give a link to documentation on how such a ZIP file would be created, because this sounds really mythical and unbelievable. – Christian Engel – 2016-12-20T10:58:40.737

0

Zip files existed long before Windows. Back in those days, a Zip file became a popular way of passing around programs (apps, executables).

To make it even easier for someone to install their new program, Zip files were enhanced so that they could automatically start an execution, typically to do the install, when they were simply opened.

Today, that same feature of Zip files that could have easily and simply installed that new version of Super Pong onto your PC, can now instead easily and simply install untended malware (virus, etc).

I would always suggest being as cautious to open a Zip file attachment, as one would be to open up an executable (.exe, .com, .bat).

Walt

Posted 2015-02-17T15:56:41.607

Reputation: 1

3Can you name a specific functionality that "auto-executes" during or after unzipping that doesn't involve a "self-extracting archive" mechanism? (e.g. a specially named file inside the archive that the decompressor just automatically calls, similar to CD-ROM autorun.inf). Self-extractors are created by the particular Zip archiving application by archiving as normal and then attaching the archive as a data resource inside a copy of itself. A "regular" zip file that is not executable is, well, not executable. A quick search of my own just brings up self-executable docs. – Yorik – 2016-10-13T18:10:44.897

0

Windows (95 OS2? 98? Me?) added a "zip folders" feature that as far as I know remains to this day. It lets you look inside zip archives as if they were folders, so to the USER they appear as if they are just normal files. This was the original purpose.

Unfortunately, users like to click on things inside normal folders, because they can see them. When they do, the system uses the built-in zip extraction library to extract the file to a temp directory and then execute it. The system antivirus then needs to intercept this action and block the attempt to use a file with a virus in it, whether it is an EXE or a bad Excel spreadsheet macro or whatever.

The only other real problem I can think of here is when the user clicks on the zip file to make it display like a folder there could potentially be security exploits within Windows' own zip library, as I am guessing they do not have a lot of desire to make it "better" vs developing other aspects of Windows. They patch exploits as they are discovered, naturally, but this might lead to inherent distrust of the integrated zip folders feature by administrators.

evilspoons

Posted 2015-02-17T15:56:41.607

Reputation: 449

Asked: 2015-02-17T15:56:41.607

Viewed: 6 681 times

Active: 2018-04-08T21:15:49.747