At which point can a system be compromised when downloading archived data from an untrusted source?Can I properly make password-protected 7z archives secure?Uploading Executable FilesWould it be possible to add additional files to a password protected zip 2.0 fileDoes it matter which platform a file is scanned on for malware?Secure online server -> Airgap transport?Ransom32: How does it work?Do malicious downloads bypass integrated browser downloader, if so how does that happen?Opening Malware with Live OS safe?Malware Testing on a Virtual Box5 VirusTotal engines detecting the apk as malicious file. Should I be worried?
How to remove the first colon ':' from a timestamp?
Do dragons smell of lilacs?
Is it inertia which causes a rotating object to rotate forever without external force?
What "fuel more powerful than anything the West (had) in stock" put Laika in orbit aboard Sputnik 2?
What happens if there is no space for entry stamp in the passport for US visa?
How should one refer to knights (& dames) in academic writing?
Is straight-up writing someone's opinions telling?
Playing saxophone without using the octave key
Is this Android phone Android 9.0 or Android 6.0?
What does it actually mean to have two time dimensions?
Interviewing with an unmentioned 9 months of sick leave taken during a job
Can you perfectly wrap a cube with this blocky shape?
Where did "a racist bone in [one's] body" and "a mean bone in [one's] body" come from?
If I stood next to a piece of metal heated to a million degrees, but in a perfect vacuum, would I feel hot?
Creating lines connecting each possible pair of points in PostGIS?
What are the arguments for California’s nonpartisan blanket (jungle) primaries?
Operation Unz̖̬̜̺̬a͇͖̯͔͉l̟̭g͕̝̼͇͓̪͍o̬̝͍̹̻
How to have a continuous player experience in a setting that's likely to favor TPKs?
What are the first usages of "thong" as a wearable item of clothing, both on the feet and on the waist?
Sending a photo of my bank account card to the future employer
What is the word for "event executor"?
Is it ethical for a company to ask its employees to move furniture on a weekend?
Is it okay for a chapter's POV to shift as it progresses?
Why does pip3 install in ~/.local on Debian?
At which point can a system be compromised when downloading archived data from an untrusted source?
Can I properly make password-protected 7z archives secure?Uploading Executable FilesWould it be possible to add additional files to a password protected zip 2.0 fileDoes it matter which platform a file is scanned on for malware?Secure online server -> Airgap transport?Ransom32: How does it work?Do malicious downloads bypass integrated browser downloader, if so how does that happen?Opening Malware with Live OS safe?Malware Testing on a Virtual Box5 VirusTotal engines detecting the apk as malicious file. Should I be worried?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
If I download archived data from a possibly untrusted source at which point am I at possible risk of harming my system:
- Initially downloading and saving the archived data (still packed)
- Unpacking the archived data
- Executing any file from the unpacked archive
At point 3 I will obviously be at risk, but what about 1-2?
malware file-system zip
edited 48 mins ago
mbomb007
1709 bronze badges
asked 14 hours ago
T AT A
1385 bronze badges
New contributor
T A is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
If I download archived data from a possibly untrusted source at which point am I at possible risk of harming my system:
- Initially downloading and saving the archived data (still packed)
- Unpacking the archived data
- Executing any file from the unpacked archive
At point 3 I will obviously be at risk, but what about 1-2?
malware file-system zip
edited 48 mins ago
mbomb007
1709 bronze badges
asked 14 hours ago
T AT A
1385 bronze badges
New contributor
T A is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
About the best someone can answer without a concrete case is, "it depends". Without details like how you are downloading and how you are unpacking it is hard to say. For example, I believe cURL, Wget and some browsers upack the ZIP for you, unless you take special measures to avoid the behavior. Or, an email client could unpack the ZIP file for you for previewing contents. However, using OpenSSL to fetch it will just save it to the filesystem.
– jww
3 hours ago
add a comment |
If I download archived data from a possibly untrusted source at which point am I at possible risk of harming my system:
- Initially downloading and saving the archived data (still packed)
- Unpacking the archived data
- Executing any file from the unpacked archive
At point 3 I will obviously be at risk, but what about 1-2?
malware file-system zip
edited 48 mins ago
mbomb007
1709 bronze badges
asked 14 hours ago
T AT A
1385 bronze badges
New contributor
T A is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If I download archived data from a possibly untrusted source at which point am I at possible risk of harming my system:
- Initially downloading and saving the archived data (still packed)
- Unpacking the archived data
- Executing any file from the unpacked archive
At point 3 I will obviously be at risk, but what about 1-2?
malware file-system zip
malware file-system zip
edited 48 mins ago
mbomb007
1709 bronze badges
asked 14 hours ago
T AT A
1385 bronze badges
New contributor
T A is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 48 mins ago
mbomb007
1709 bronze badges
asked 14 hours ago
T AT A
1385 bronze badges
New contributor
T A is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 48 mins ago
mbomb007
1709 bronze badges
edited 48 mins ago
mbomb007
1709 bronze badges
edited 48 mins ago
mbomb007
1709 bronze badges
1709 bronze badges
asked 14 hours ago
T AT A
1385 bronze badges
New contributor
T A is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 14 hours ago
T AT A
1385 bronze badges
asked 14 hours ago
T AT A
1385 bronze badges
1385 bronze badges
New contributor
T A is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
T A is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
About the best someone can answer without a concrete case is, "it depends". Without details like how you are downloading and how you are unpacking it is hard to say. For example, I believe cURL, Wget and some browsers upack the ZIP for you, unless you take special measures to avoid the behavior. Or, an email client could unpack the ZIP file for you for previewing contents. However, using OpenSSL to fetch it will just save it to the filesystem.
– jww
3 hours ago
add a comment |
1
About the best someone can answer without a concrete case is, "it depends". Without details like how you are downloading and how you are unpacking it is hard to say. For example, I believe cURL, Wget and some browsers upack the ZIP for you, unless you take special measures to avoid the behavior. Or, an email client could unpack the ZIP file for you for previewing contents. However, using OpenSSL to fetch it will just save it to the filesystem.
– jww
3 hours ago
1
1
About the best someone can answer without a concrete case is, "it depends". Without details like how you are downloading and how you are unpacking it is hard to say. For example, I believe cURL, Wget and some browsers upack the ZIP for you, unless you take special measures to avoid the behavior. Or, an email client could unpack the ZIP file for you for previewing contents. However, using OpenSSL to fetch it will just save it to the filesystem.
– jww
3 hours ago
About the best someone can answer without a concrete case is, "it depends". Without details like how you are downloading and how you are unpacking it is hard to say. For example, I believe cURL, Wget and some browsers upack the ZIP for you, unless you take special measures to avoid the behavior. Or, an email client could unpack the ZIP file for you for previewing contents. However, using OpenSSL to fetch it will just save it to the filesystem.
– jww
3 hours ago
add a comment |
2 Answers
2
active
oldest
votes
1 should not present any danger as long as the file is just saved somewhere and no attempts to open it with anything are made. If you view it even with a text editor, there's already a small danger of exploits.
In the case of 2 there are vulnerabilities and exploits, so there are dangers. Some examples of such possible scenarios:
Arbitrary file writes caused by .tar.gz archive symbolic link (symlink) vulnerabilities that are exploited because of how Bower (a popular web package manager) extracts such archives
CVE-2018-20250 is an absolute path traversal vulnerability in unacev2.dll, the DLL file used by WinRAR to parse ACE archives that has not been updated since 2005. A specially crafted ACE archive can exploit this vulnerability to extract a file to an arbitrary path and bypass the actual destination folder. In its example, CPR is able to extract a malicious file into the Windows Startup folder.
CVE-2018-20252 and CVE-2018-20253 are out-of-bounds write vulnerabilities during the parsing of crafted archive formats. Successful exploitation of these CVEs could lead to arbitrary code execution.
Zip Slip which attackers might use to target files they can execute remotely, such as parts of a website, or files that a computer or user are likely to run anyway, like popular applications or system files.
Helm Chart Archive File Unpacking Path Traversal Vulnerability.
CVE-2015-5663 - the file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse file with a name similar to an extension-less filename that was selected by the user.
CVE-2005-3262 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename
There are plenty more examples and databases with such vulnerabilities and even most of them got fixed in later versions of the software, a risk still exists.
So therefore, [2] is risky and should be handled with care.
answered 13 hours ago
OvermindOvermind
6,1511 gold badge11 silver badges21 bronze badges
10
Another interesting threat of unpacking untrusted archives are zip bombs: Specially crafted archives which seem small but unpack to huge amounts of data.
– Philipp
13 hours ago
2
I think it would be even more rare (and bordering on extreme paranoia), but it might be possible that the act of downloading (or copying) the file could exploit a vulnerability in a web browser/wget/curl/rsync/etc. I'm not sure if there's ever been an example of this.
– mbrig
4 hours ago
If the system has an antivirus installed, the archive itself could be crafted to exploit a bug in the file-scanning routines that run when the file is downloaded too. See for example some of the CVEs for Windows Defender: cvedetails.com/vulnerability-list/vendor_id-26/product_id-9767/…
– Paul Belanger
3 hours ago
@mbrig Well, in the end points 1 and 2 are mostly "identical" from a security perspective. They both deal with programs handling data in some way. If we include the possibility of bugs that allow an attacker to perform arbitrary code execution it can happen in both case 1 and 2. Downloading a file may be a "simpler" action with less chances of errors, but if you think at all the bugs in networking software (think heartbleed for example...) it's absolutely not out of this world. If you don't care about software bugs then opening a file in a text editor is fine, only execution is an issue.
– Bakuriu
2 hours ago
add a comment |
In theory all of these places could be exploited. I am not going to go into specific exploits available as these change constantly with archive format and moving tech:
Initially downloading and saving the archived data (still packed)
It is unlikely but it is possible that your download manager / web browser does have some kind of exploit. You say the source is untrusted therefore the server could try and attack your download program using exploits in its implementation or weaknesses in the file transfer protocol you are using. These exploits are rare but not unheard of. But fundamentally unless you are certain your software is entirely unexploitable any network connection with a malicious server could result in an attack.
You can somewhat mitigate this by sandboxing the download software with only minimal permissions and access needed to the location you wish to download to and the network stack. This mostly mitigates this weakness assuming your OS permission model or sandboxing software do not also have exploits.
Unpacking the archived data
There are numerous attacks over the years involving using poisoned archive files to run arbitrary code on a system by exploiting weaknesses in the archive format or decompression software. These are probably more common than the above weakness.
The main protections are again making sure to give the extraction program minimal permissions and potentially sand-boxing it to ensure it can do minimal damage if it is attacked successfully. Caveats above apply.
Executing any file from the unpacked archive
This is obviously enormously risky, and the same issues as running and malicious software applies. It is relatively easy for software when run explicitly to break many sandboxes and permission system protections so all bets are off. You can have some safety running the software in a hardened VM but this still doesnt fully protect you short of using an airgapped machine to run the programs which is then destroyed.
TLDR
All of these steps are fairly risky, but each successive step is probably more dangerous than the last.
answered 2 hours ago
ValityVality
3291 silver badge7 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
T A is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213602%2fat-which-point-can-a-system-be-compromised-when-downloading-archived-data-from-a%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
1 should not present any danger as long as the file is just saved somewhere and no attempts to open it with anything are made. If you view it even with a text editor, there's already a small danger of exploits.
In the case of 2 there are vulnerabilities and exploits, so there are dangers. Some examples of such possible scenarios:
Arbitrary file writes caused by .tar.gz archive symbolic link (symlink) vulnerabilities that are exploited because of how Bower (a popular web package manager) extracts such archives
CVE-2018-20250 is an absolute path traversal vulnerability in unacev2.dll, the DLL file used by WinRAR to parse ACE archives that has not been updated since 2005. A specially crafted ACE archive can exploit this vulnerability to extract a file to an arbitrary path and bypass the actual destination folder. In its example, CPR is able to extract a malicious file into the Windows Startup folder.
CVE-2018-20252 and CVE-2018-20253 are out-of-bounds write vulnerabilities during the parsing of crafted archive formats. Successful exploitation of these CVEs could lead to arbitrary code execution.
Zip Slip which attackers might use to target files they can execute remotely, such as parts of a website, or files that a computer or user are likely to run anyway, like popular applications or system files.
Helm Chart Archive File Unpacking Path Traversal Vulnerability.
CVE-2015-5663 - the file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse file with a name similar to an extension-less filename that was selected by the user.
CVE-2005-3262 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename
There are plenty more examples and databases with such vulnerabilities and even most of them got fixed in later versions of the software, a risk still exists.
So therefore, [2] is risky and should be handled with care.
answered 13 hours ago
OvermindOvermind
6,1511 gold badge11 silver badges21 bronze badges
10
Another interesting threat of unpacking untrusted archives are zip bombs: Specially crafted archives which seem small but unpack to huge amounts of data.
– Philipp
13 hours ago
2
I think it would be even more rare (and bordering on extreme paranoia), but it might be possible that the act of downloading (or copying) the file could exploit a vulnerability in a web browser/wget/curl/rsync/etc. I'm not sure if there's ever been an example of this.
– mbrig
4 hours ago
If the system has an antivirus installed, the archive itself could be crafted to exploit a bug in the file-scanning routines that run when the file is downloaded too. See for example some of the CVEs for Windows Defender: cvedetails.com/vulnerability-list/vendor_id-26/product_id-9767/…
– Paul Belanger
3 hours ago
@mbrig Well, in the end points 1 and 2 are mostly "identical" from a security perspective. They both deal with programs handling data in some way. If we include the possibility of bugs that allow an attacker to perform arbitrary code execution it can happen in both case 1 and 2. Downloading a file may be a "simpler" action with less chances of errors, but if you think at all the bugs in networking software (think heartbleed for example...) it's absolutely not out of this world. If you don't care about software bugs then opening a file in a text editor is fine, only execution is an issue.
– Bakuriu
2 hours ago
add a comment |
1 should not present any danger as long as the file is just saved somewhere and no attempts to open it with anything are made. If you view it even with a text editor, there's already a small danger of exploits.
In the case of 2 there are vulnerabilities and exploits, so there are dangers. Some examples of such possible scenarios:
Arbitrary file writes caused by .tar.gz archive symbolic link (symlink) vulnerabilities that are exploited because of how Bower (a popular web package manager) extracts such archives
CVE-2018-20250 is an absolute path traversal vulnerability in unacev2.dll, the DLL file used by WinRAR to parse ACE archives that has not been updated since 2005. A specially crafted ACE archive can exploit this vulnerability to extract a file to an arbitrary path and bypass the actual destination folder. In its example, CPR is able to extract a malicious file into the Windows Startup folder.
CVE-2018-20252 and CVE-2018-20253 are out-of-bounds write vulnerabilities during the parsing of crafted archive formats. Successful exploitation of these CVEs could lead to arbitrary code execution.
Zip Slip which attackers might use to target files they can execute remotely, such as parts of a website, or files that a computer or user are likely to run anyway, like popular applications or system files.
Helm Chart Archive File Unpacking Path Traversal Vulnerability.
CVE-2015-5663 - the file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse file with a name similar to an extension-less filename that was selected by the user.
CVE-2005-3262 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename
There are plenty more examples and databases with such vulnerabilities and even most of them got fixed in later versions of the software, a risk still exists.
So therefore, [2] is risky and should be handled with care.
answered 13 hours ago
OvermindOvermind
6,1511 gold badge11 silver badges21 bronze badges
10
Another interesting threat of unpacking untrusted archives are zip bombs: Specially crafted archives which seem small but unpack to huge amounts of data.
– Philipp
13 hours ago
2
I think it would be even more rare (and bordering on extreme paranoia), but it might be possible that the act of downloading (or copying) the file could exploit a vulnerability in a web browser/wget/curl/rsync/etc. I'm not sure if there's ever been an example of this.
– mbrig
4 hours ago
If the system has an antivirus installed, the archive itself could be crafted to exploit a bug in the file-scanning routines that run when the file is downloaded too. See for example some of the CVEs for Windows Defender: cvedetails.com/vulnerability-list/vendor_id-26/product_id-9767/…
– Paul Belanger
3 hours ago
@mbrig Well, in the end points 1 and 2 are mostly "identical" from a security perspective. They both deal with programs handling data in some way. If we include the possibility of bugs that allow an attacker to perform arbitrary code execution it can happen in both case 1 and 2. Downloading a file may be a "simpler" action with less chances of errors, but if you think at all the bugs in networking software (think heartbleed for example...) it's absolutely not out of this world. If you don't care about software bugs then opening a file in a text editor is fine, only execution is an issue.
– Bakuriu
2 hours ago
add a comment |
1 should not present any danger as long as the file is just saved somewhere and no attempts to open it with anything are made. If you view it even with a text editor, there's already a small danger of exploits.
In the case of 2 there are vulnerabilities and exploits, so there are dangers. Some examples of such possible scenarios:
Arbitrary file writes caused by .tar.gz archive symbolic link (symlink) vulnerabilities that are exploited because of how Bower (a popular web package manager) extracts such archives
CVE-2018-20250 is an absolute path traversal vulnerability in unacev2.dll, the DLL file used by WinRAR to parse ACE archives that has not been updated since 2005. A specially crafted ACE archive can exploit this vulnerability to extract a file to an arbitrary path and bypass the actual destination folder. In its example, CPR is able to extract a malicious file into the Windows Startup folder.
CVE-2018-20252 and CVE-2018-20253 are out-of-bounds write vulnerabilities during the parsing of crafted archive formats. Successful exploitation of these CVEs could lead to arbitrary code execution.
Zip Slip which attackers might use to target files they can execute remotely, such as parts of a website, or files that a computer or user are likely to run anyway, like popular applications or system files.
Helm Chart Archive File Unpacking Path Traversal Vulnerability.
CVE-2015-5663 - the file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse file with a name similar to an extension-less filename that was selected by the user.
CVE-2005-3262 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename
There are plenty more examples and databases with such vulnerabilities and even most of them got fixed in later versions of the software, a risk still exists.
So therefore, [2] is risky and should be handled with care.
answered 13 hours ago
OvermindOvermind
6,1511 gold badge11 silver badges21 bronze badges
1 should not present any danger as long as the file is just saved somewhere and no attempts to open it with anything are made. If you view it even with a text editor, there's already a small danger of exploits.
In the case of 2 there are vulnerabilities and exploits, so there are dangers. Some examples of such possible scenarios:
Arbitrary file writes caused by .tar.gz archive symbolic link (symlink) vulnerabilities that are exploited because of how Bower (a popular web package manager) extracts such archives
CVE-2018-20250 is an absolute path traversal vulnerability in unacev2.dll, the DLL file used by WinRAR to parse ACE archives that has not been updated since 2005. A specially crafted ACE archive can exploit this vulnerability to extract a file to an arbitrary path and bypass the actual destination folder. In its example, CPR is able to extract a malicious file into the Windows Startup folder.
CVE-2018-20252 and CVE-2018-20253 are out-of-bounds write vulnerabilities during the parsing of crafted archive formats. Successful exploitation of these CVEs could lead to arbitrary code execution.
Zip Slip which attackers might use to target files they can execute remotely, such as parts of a website, or files that a computer or user are likely to run anyway, like popular applications or system files.
Helm Chart Archive File Unpacking Path Traversal Vulnerability.
CVE-2015-5663 - the file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse file with a name similar to an extension-less filename that was selected by the user.
CVE-2005-3262 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename
There are plenty more examples and databases with such vulnerabilities and even most of them got fixed in later versions of the software, a risk still exists.
So therefore, [2] is risky and should be handled with care.
answered 13 hours ago
OvermindOvermind
6,1511 gold badge11 silver badges21 bronze badges
answered 13 hours ago
OvermindOvermind
6,1511 gold badge11 silver badges21 bronze badges
answered 13 hours ago
OvermindOvermind
6,1511 gold badge11 silver badges21 bronze badges
answered 13 hours ago
OvermindOvermind
6,1511 gold badge11 silver badges21 bronze badges
6,1511 gold badge11 silver badges21 bronze badges
10
Another interesting threat of unpacking untrusted archives are zip bombs: Specially crafted archives which seem small but unpack to huge amounts of data.
– Philipp
13 hours ago
2
I think it would be even more rare (and bordering on extreme paranoia), but it might be possible that the act of downloading (or copying) the file could exploit a vulnerability in a web browser/wget/curl/rsync/etc. I'm not sure if there's ever been an example of this.
– mbrig
4 hours ago
If the system has an antivirus installed, the archive itself could be crafted to exploit a bug in the file-scanning routines that run when the file is downloaded too. See for example some of the CVEs for Windows Defender: cvedetails.com/vulnerability-list/vendor_id-26/product_id-9767/…
– Paul Belanger
3 hours ago
@mbrig Well, in the end points 1 and 2 are mostly "identical" from a security perspective. They both deal with programs handling data in some way. If we include the possibility of bugs that allow an attacker to perform arbitrary code execution it can happen in both case 1 and 2. Downloading a file may be a "simpler" action with less chances of errors, but if you think at all the bugs in networking software (think heartbleed for example...) it's absolutely not out of this world. If you don't care about software bugs then opening a file in a text editor is fine, only execution is an issue.
– Bakuriu
2 hours ago
add a comment |
10
Another interesting threat of unpacking untrusted archives are zip bombs: Specially crafted archives which seem small but unpack to huge amounts of data.
– Philipp
13 hours ago
2
I think it would be even more rare (and bordering on extreme paranoia), but it might be possible that the act of downloading (or copying) the file could exploit a vulnerability in a web browser/wget/curl/rsync/etc. I'm not sure if there's ever been an example of this.
– mbrig
4 hours ago
If the system has an antivirus installed, the archive itself could be crafted to exploit a bug in the file-scanning routines that run when the file is downloaded too. See for example some of the CVEs for Windows Defender: cvedetails.com/vulnerability-list/vendor_id-26/product_id-9767/…
– Paul Belanger
3 hours ago
@mbrig Well, in the end points 1 and 2 are mostly "identical" from a security perspective. They both deal with programs handling data in some way. If we include the possibility of bugs that allow an attacker to perform arbitrary code execution it can happen in both case 1 and 2. Downloading a file may be a "simpler" action with less chances of errors, but if you think at all the bugs in networking software (think heartbleed for example...) it's absolutely not out of this world. If you don't care about software bugs then opening a file in a text editor is fine, only execution is an issue.
– Bakuriu
2 hours ago
10
10
Another interesting threat of unpacking untrusted archives are zip bombs: Specially crafted archives which seem small but unpack to huge amounts of data.
– Philipp
13 hours ago
Another interesting threat of unpacking untrusted archives are zip bombs: Specially crafted archives which seem small but unpack to huge amounts of data.
– Philipp
13 hours ago
2
2
I think it would be even more rare (and bordering on extreme paranoia), but it might be possible that the act of downloading (or copying) the file could exploit a vulnerability in a web browser/wget/curl/rsync/etc. I'm not sure if there's ever been an example of this.
– mbrig
4 hours ago
I think it would be even more rare (and bordering on extreme paranoia), but it might be possible that the act of downloading (or copying) the file could exploit a vulnerability in a web browser/wget/curl/rsync/etc. I'm not sure if there's ever been an example of this.
– mbrig
4 hours ago
If the system has an antivirus installed, the archive itself could be crafted to exploit a bug in the file-scanning routines that run when the file is downloaded too. See for example some of the CVEs for Windows Defender: cvedetails.com/vulnerability-list/vendor_id-26/product_id-9767/…
– Paul Belanger
3 hours ago
If the system has an antivirus installed, the archive itself could be crafted to exploit a bug in the file-scanning routines that run when the file is downloaded too. See for example some of the CVEs for Windows Defender: cvedetails.com/vulnerability-list/vendor_id-26/product_id-9767/…
– Paul Belanger
3 hours ago
@mbrig Well, in the end points 1 and 2 are mostly "identical" from a security perspective. They both deal with programs handling data in some way. If we include the possibility of bugs that allow an attacker to perform arbitrary code execution it can happen in both case 1 and 2. Downloading a file may be a "simpler" action with less chances of errors, but if you think at all the bugs in networking software (think heartbleed for example...) it's absolutely not out of this world. If you don't care about software bugs then opening a file in a text editor is fine, only execution is an issue.
– Bakuriu
2 hours ago
@mbrig Well, in the end points 1 and 2 are mostly "identical" from a security perspective. They both deal with programs handling data in some way. If we include the possibility of bugs that allow an attacker to perform arbitrary code execution it can happen in both case 1 and 2. Downloading a file may be a "simpler" action with less chances of errors, but if you think at all the bugs in networking software (think heartbleed for example...) it's absolutely not out of this world. If you don't care about software bugs then opening a file in a text editor is fine, only execution is an issue.
– Bakuriu
2 hours ago
add a comment |
In theory all of these places could be exploited. I am not going to go into specific exploits available as these change constantly with archive format and moving tech:
Initially downloading and saving the archived data (still packed)
It is unlikely but it is possible that your download manager / web browser does have some kind of exploit. You say the source is untrusted therefore the server could try and attack your download program using exploits in its implementation or weaknesses in the file transfer protocol you are using. These exploits are rare but not unheard of. But fundamentally unless you are certain your software is entirely unexploitable any network connection with a malicious server could result in an attack.
You can somewhat mitigate this by sandboxing the download software with only minimal permissions and access needed to the location you wish to download to and the network stack. This mostly mitigates this weakness assuming your OS permission model or sandboxing software do not also have exploits.
Unpacking the archived data
There are numerous attacks over the years involving using poisoned archive files to run arbitrary code on a system by exploiting weaknesses in the archive format or decompression software. These are probably more common than the above weakness.
The main protections are again making sure to give the extraction program minimal permissions and potentially sand-boxing it to ensure it can do minimal damage if it is attacked successfully. Caveats above apply.
Executing any file from the unpacked archive
This is obviously enormously risky, and the same issues as running and malicious software applies. It is relatively easy for software when run explicitly to break many sandboxes and permission system protections so all bets are off. You can have some safety running the software in a hardened VM but this still doesnt fully protect you short of using an airgapped machine to run the programs which is then destroyed.
TLDR
All of these steps are fairly risky, but each successive step is probably more dangerous than the last.
answered 2 hours ago
ValityVality
3291 silver badge7 bronze badges
add a comment |
In theory all of these places could be exploited. I am not going to go into specific exploits available as these change constantly with archive format and moving tech:
Initially downloading and saving the archived data (still packed)
It is unlikely but it is possible that your download manager / web browser does have some kind of exploit. You say the source is untrusted therefore the server could try and attack your download program using exploits in its implementation or weaknesses in the file transfer protocol you are using. These exploits are rare but not unheard of. But fundamentally unless you are certain your software is entirely unexploitable any network connection with a malicious server could result in an attack.
You can somewhat mitigate this by sandboxing the download software with only minimal permissions and access needed to the location you wish to download to and the network stack. This mostly mitigates this weakness assuming your OS permission model or sandboxing software do not also have exploits.
Unpacking the archived data
There are numerous attacks over the years involving using poisoned archive files to run arbitrary code on a system by exploiting weaknesses in the archive format or decompression software. These are probably more common than the above weakness.
The main protections are again making sure to give the extraction program minimal permissions and potentially sand-boxing it to ensure it can do minimal damage if it is attacked successfully. Caveats above apply.
Executing any file from the unpacked archive
This is obviously enormously risky, and the same issues as running and malicious software applies. It is relatively easy for software when run explicitly to break many sandboxes and permission system protections so all bets are off. You can have some safety running the software in a hardened VM but this still doesnt fully protect you short of using an airgapped machine to run the programs which is then destroyed.
TLDR
All of these steps are fairly risky, but each successive step is probably more dangerous than the last.
answered 2 hours ago
ValityVality
3291 silver badge7 bronze badges
add a comment |
In theory all of these places could be exploited. I am not going to go into specific exploits available as these change constantly with archive format and moving tech:
Initially downloading and saving the archived data (still packed)
It is unlikely but it is possible that your download manager / web browser does have some kind of exploit. You say the source is untrusted therefore the server could try and attack your download program using exploits in its implementation or weaknesses in the file transfer protocol you are using. These exploits are rare but not unheard of. But fundamentally unless you are certain your software is entirely unexploitable any network connection with a malicious server could result in an attack.
You can somewhat mitigate this by sandboxing the download software with only minimal permissions and access needed to the location you wish to download to and the network stack. This mostly mitigates this weakness assuming your OS permission model or sandboxing software do not also have exploits.
Unpacking the archived data
There are numerous attacks over the years involving using poisoned archive files to run arbitrary code on a system by exploiting weaknesses in the archive format or decompression software. These are probably more common than the above weakness.
The main protections are again making sure to give the extraction program minimal permissions and potentially sand-boxing it to ensure it can do minimal damage if it is attacked successfully. Caveats above apply.
Executing any file from the unpacked archive
This is obviously enormously risky, and the same issues as running and malicious software applies. It is relatively easy for software when run explicitly to break many sandboxes and permission system protections so all bets are off. You can have some safety running the software in a hardened VM but this still doesnt fully protect you short of using an airgapped machine to run the programs which is then destroyed.
TLDR
All of these steps are fairly risky, but each successive step is probably more dangerous than the last.
answered 2 hours ago
ValityVality
3291 silver badge7 bronze badges
In theory all of these places could be exploited. I am not going to go into specific exploits available as these change constantly with archive format and moving tech:
Initially downloading and saving the archived data (still packed)
It is unlikely but it is possible that your download manager / web browser does have some kind of exploit. You say the source is untrusted therefore the server could try and attack your download program using exploits in its implementation or weaknesses in the file transfer protocol you are using. These exploits are rare but not unheard of. But fundamentally unless you are certain your software is entirely unexploitable any network connection with a malicious server could result in an attack.
You can somewhat mitigate this by sandboxing the download software with only minimal permissions and access needed to the location you wish to download to and the network stack. This mostly mitigates this weakness assuming your OS permission model or sandboxing software do not also have exploits.
Unpacking the archived data
There are numerous attacks over the years involving using poisoned archive files to run arbitrary code on a system by exploiting weaknesses in the archive format or decompression software. These are probably more common than the above weakness.
The main protections are again making sure to give the extraction program minimal permissions and potentially sand-boxing it to ensure it can do minimal damage if it is attacked successfully. Caveats above apply.
Executing any file from the unpacked archive
This is obviously enormously risky, and the same issues as running and malicious software applies. It is relatively easy for software when run explicitly to break many sandboxes and permission system protections so all bets are off. You can have some safety running the software in a hardened VM but this still doesnt fully protect you short of using an airgapped machine to run the programs which is then destroyed.
TLDR
All of these steps are fairly risky, but each successive step is probably more dangerous than the last.
answered 2 hours ago
ValityVality
3291 silver badge7 bronze badges
answered 2 hours ago
ValityVality
3291 silver badge7 bronze badges
answered 2 hours ago
ValityVality
3291 silver badge7 bronze badges
answered 2 hours ago
ValityVality
3291 silver badge7 bronze badges
3291 silver badge7 bronze badges
add a comment |
add a comment |
T A is a new contributor. Be nice, and check out our Code of Conduct.
T A is a new contributor. Be nice, and check out our Code of Conduct.
T A is a new contributor. Be nice, and check out our Code of Conduct.
T A is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213602%2fat-which-point-can-a-system-be-compromised-when-downloading-archived-data-from-a%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
About the best someone can answer without a concrete case is, "it depends". Without details like how you are downloading and how you are unpacking it is hard to say. For example, I believe cURL, Wget and some browsers upack the ZIP for you, unless you take special measures to avoid the behavior. Or, an email client could unpack the ZIP file for you for previewing contents. However, using OpenSSL to fetch it will just save it to the filesystem.
– jww
3 hours ago