You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
normal ZIP archive with a virus
LFH ─╮
data (virus) ├─→──┐
CDH │ │
EOCDR ─╯ │ copy the inner
↓ archive with virus
the final ZIP archive │ as the data of
│ the outer archive
LFH (size set to 1) │
data (copied) ←─────┘
CDH (size set to 1)
EOCDR (comment length set to 1 with empty comment content)
What did you see happen?
It can get the malware inside the ZIP archive. This is caused by the following logic, which skips EOCDR with a bogus comment length field and continues to search for the next one:
However, this is inconsistent with most other ZIP implementations, so they are using different EOCDRs and get different files extracted. Most other ZIP implementations are not able to get the virus. The PoC file is flagged by only 1/62 security vendor on VirusTotal.
neild
added
Security
NeedsFix
The path to resolution is known, but the work has not been done.
and removed
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
labels
Apr 22, 2024
This has been reported in email and accepted as a PUBLIC track security issue.
Go version
go version go1.22.2 linux/amd64
Output of
go env
in your module/workspace:What did you do?
Use
archive/zip
(actually, a thin wrapper library https://github.com/evilsocket/islazy/blob/master/zip/unzip.go) to extract the attached ZIP archive: poc.zip (Warning: It contains malware. Do not open the extracted exe file!)It is constructed as illustrated below:
What did you see happen?
It can get the malware inside the ZIP archive. This is caused by the following logic, which skips EOCDR with a bogus comment length field and continues to search for the next one:
go/src/archive/zip/reader.go
Lines 702 to 704 in c51f6c6
However, this is inconsistent with most other ZIP implementations, so they are using different EOCDRs and get different files extracted. Most other ZIP implementations are not able to get the virus. The PoC file is flagged by only 1/62 security vendor on VirusTotal.
This inconsistency can also be used in other scenarios depending on the specific use case of the package, such as hiding add-on files from linter and reviewers.
What did you expect to see?
archive/zip
should return an error when a bogus EOCDR is encountered.The text was updated successfully, but these errors were encountered: