'Non-recursive ZIP bomb' expands 10MB file to 281TB


by

Tomas Sobek

A ' ZIP bomb (highly compressed file bomb) ' that looks like a ZIP file of tens of kilobytes but takes up a huge amount of file space when unzipped is a ZIP file that stores a ZIP file inside a ZIP file, and further ZIP files inside the inner ZIP file. By using a nested structure such as ..., it successfully avoids the limitations of compression algorithms, which is why many antivirus software protects against it. A 'non-recursive ZIP bomb' that overcomes this weakness can expand 28 million times from just 10MB to 281TB, although its size after deployment is no match for a recursive ZIP bomb made with high efficiency.

A better zip bomb
https://www.bamsoftware.com/hacks/zipbomb/



The algorithm commonly used for ZIP compression is called 'Deflate', and is characterized by its fast compression and expansion speed. The maximum compression ratio of 1032:1 (approximately 0.096%) is a ``hindrance'' when making ZIP bombs, and to avoid this limitation, ZIP bombs use nested files that store ZIP files within ZIP files. Using this structure, we can achieve a compression ratio as close as possible to 1032x for each nest, making huge files appear extremely small.

For example, the famous ZIP bomb has a file called '42.zip'. There are two types of ZIP files: the old version does not require a path when extracting and has a file size of 42,374 bytes, and the new version requires a path when extracting and has a file size of 42,838 bytes. Below are the properties of the old version.



When you look inside, there are 16 ZIP files numbered sequentially from 'lib 0.zip' to 'lib f.zip'. The original size of the file is 34,902 bytes (35KB) and after compression it is 2,533 bytes (2.6KB). Compression rate is 7.3%.



'lib 0.zip' has additional ZIP files 'book 0.zip' to 'book f.zip'. The original size is 29,446 bytes (30KB) and the compressed size is 2,084 bytes (2.1KB), with a compression rate of 7.1%.



When I opened the 5th layer 'page 0.zip' counting from the outer 42.zip, the nesting finally ended and a file called '0.dll' appeared. The original size is 4,294,967,295 bytes (4.3GB) and after compression it is 4,168,158 bytes (4.2MB), so the compression ratio is actually 0.1%.



There are many other huge files compressed to 0.1% in the same way in the 6th layer, so if you unzip 42.zip, a file of 4,507,981,343,026,016 bytes (4.5PB) will appear from just 42KB. I will do it. Its expansion rate is 106 billion times.

However, this requires the premise that 'if the implementation performs recursive expansion,' if only the top layer is expanded, the size after expansion is only 558,432 bytes (558KB), which is only 13.2 times the original size. .

On the other hand, the non-recursive ZIP bomb proposed by David Fifield has 250 files compressed to 0.1% in the first layer, and the original file size is 42KB, the same as 42.zip, but when expanded It expands to 5,461,307,620 bytes (5.5GB), which is 129,000 times the original size.



If the original file is made 10MB, the expanded size can be increased to 281TB, which is 28 million times the original size. Furthermore, using Zip64, it is possible to increase the size of a 46MB file by 98 million times to 4.5PB.

This non-recursive ZIP bomb duplicates files in a ZIP container and references highly compressed kernels contained in multiple files without creating copies. For this reason, the output size increases in proportion to the input size, and the larger the 'bomb', the better the compression ratio.

At the time of article creation, anti-virus software was reacting to 42.zip and it was no longer possible to download it, but it did not react to the non-recursive ZIP bomb file created by Mr. Fifield, so it is a suspicious ZIP file. Please be careful.

in Software,   Security,   , Posted by logc_nt