Can a ZIP file auto-execute files from inside it

emailzip

I had a conversation today with a staff member of my e-mail hoster, because the hoster just blocked some mails of customers of me, because they contained ZIP files.

After I asked why the mails have been blocked, they replied that the customer had mailed me a executable zip file and because there are currently a lot of mails with trojans attached, all mails with executable zip files would be automaticaly blocked.

Altough I know that mailing executable zips is 99% surely a trojan, I was confused. A executable (self-extracting) ZIP archive would not be a *.zip file, but must be a *.exe file, right?
I repied that to the staff and told him that – afaik – no operating system on the world would ever treat and execute a *.zip file directly as a program.

He replied that (without offence), I would have a great lack of information. I'm more or less translating from his german mail now: In different versions of ms-windows, a zip file will be directly displayed as a folder. In the current version of osX, a attached zip file will directly be extracted.
In both cases, the zip file will be scanned for special headers with additional directives. Executable code stored there will be of course executed without asking the user for permission.

That. I was baffled. How is "displaying a list of contents of the archive" the same as extracting and executing stuff from the archive? Because he implies thats the case. And altough I think auto-extracting files like apple mail does is a absolute no-go, this would still not execute anything. Or does it? Does that guy know more about zip files than me after working with them since forever?

Best Answer

Some thoughts. I agree with you, but can see why a service provider would choose to block .zip files. I can't find too much information on some of these, I will update if I find any more info.

  1. There is such a thing as a zip bomb.

  2. The ZIP file format supports various compression formats - specified as a 16-bit value. Many operating systems would load a library for that method to handle compression and decompression. It doesn't look like a custom one can be specified. Windows .hlp had a vulnerability like this where the .hlp file could contain a custom DLL for display purposes, but it doesn't look like this can be done with .zip.

  3. Windows Explorer will read certain *.ini files (and other ones depending on the Windows version IIRC) and possibly run programs based on them. Windows 98 let you do a lot with this, whereas I believe in later versions it is restricted. I can't find anytihng whether or not a Desktop.ini file in a zip archive will be processed by Explorer if opened. But this could be an attack vector.

  4. Technically ANY file opened by Windows that has a recognized extension launches a program. For .zip files by default that is explorer.exe, but could be another program if the user has installed a different ZIP application. If an attacker knows a user has WinZip, and is aware of a vulnerability of WinZip, the user could be targeted.

  5. SFX zips obviously can be malicious.