Potential Security Bug

Wed Mar 20 06:18:16 EDT 2019

Hello,
I’m Amit Laish, a security researcher from GE Digital.
During one of our assessments we discovered something that we consider a bug with security implications which can cause a denial of service by disk exhausting, and we would like to share it with you, and hear you opinion about it.
Link for the required files: https://drive.google.com/open?id=1QxItN7cj0J9LIMqYa0SmmckeQrxSxkBC
1. 20GB.zip – contains 200 files that each file is 100MB, after decompression the size is 20GB.
2. create_zip.py – create new zip name malicious.zip which contains fake value of the uncompressed size header.
3. poc.py – extracts the malicious archive

Denial of Service via Decompression in Zipfile Library

Background
The Zipfile library can be used to extract data from compressed archives. Each file has a metadata that contains information regarding the file, such as uncompressed size, packed size, and more. The decompression progress should extract the data based on the information in the uncompressed data size header and check if the extracted data is equal to the size in the uncompressed data header.
The problem
The Zipfile library does not use the header of uncompressed size when extracting data from compressed archives.
As a result, an attacker can craft a malicious compressed archive file that contains a fake value in the uncompressed size header and combine specific compressed data, which makes the decompressed data’s size more than the system can handle, and thus, cause a denial of service.
[cid:image001.jpg at 01D4DF16.FDA28C70]

Figure 1 – Unpacked size is 200 bytes and after decompression 20GB of the disk space is taken
The red team successfully exploited the vulnerability and caused a denial of service.
Implications
Malicious users can use this method and distribute the archive, and once the victim or application that relies on the uncompressed size header value decompresses it, the whole disk space is exhausted, causing a denial of service. This attack may cause sensitive services to stop working.
How to reproduce
Note: Both archive file and the malicious script to reproduce the attack are attached to the report.

  1.  Run create_zip.py file, which changes the header of the uncompressed size to 1 byte and saves it to new file archive called malicious.zip.
  2.  Run poc.py file to extract the malicious archive.
  3.  If the vulnerability exists, the disk’s space is approximately taken by 20 GB.

Recommendation
The extraction progress should use the metadata header that indicates the uncompressed size for each file or should extract the smaller value between the metadata and the file’s size.

Thanks, Amit Laish – GE Digital.