‘Non-recursive Zip bomb’ can extract 4.5 Petabytes of data into 46MB
David Fifield, a programmer, and an engineer have just revealed a brand-new “Zip bomb” that compresses more than 4.5 petabytes of data within a single Zip file with 46MB.
This new kind of “Zip bomb” or “compression bomb” is a malware variant in which a Zip file as small as a few kilobytes is so compressed that when decompressed from the archive file can completely fill up your hard drive. In other words, Fifield has “figured out how to ‘overlap’ files inside of a Zip archive, allowing for compression rates far beyond those of a traditional archive,” reports Motherboard.
Fifield’s file size is much larger, requiring a 46MB base file to expand into a 4.5PB archive — but it doesn’t depend on recursion to achieve its compression.
The reason zip bombs use recursion is due to the fact that the DEFLATE algorithm used in the ZIP parsers cannot achieve a compression ratio higher than 1032:1. This means that “Zip bombs” could only reach their true compression potential recursively. Interestingly, Fifield found a way to get around this limitation.
“This article shows how to construct a non-recursive zip bomb whose compression ratio surpasses the DEFLATE limit of 1032. It works by overlapping files inside the zip container, in order to reference a “kernel” of highly compressed data in multiple files, without making multiple copies of it. The zip bomb’s output size grows quadratically in the input size; i.e., the compression ratio gets better as the bomb gets bigger.
The construction depends on features of both zip and DEFLATE—it is not directly portable to other file formats or compression algorithms. It is compatible with most zip parsers, the exceptions being “streaming” parsers that parse in one pass without first consulting the zip file’s central directory,” Fifield writes in his blog post detailing his discovery.
In order to make this method work, Fifield had to go back to how data is stored in zip files and select the appropriate Deflate implementation.
He used a custom DEFLATE compressor called bulk_deflate, specialized for compressing a string of repeated bytes, because it could compress more data into the same space than the general-purpose compressors: about 26 kB more than zlib and Info-ZIP, and about 15 kB more than Zopfli, a compressor that trades speed for density.
While bulk_deflate outdoes these solutions, he notes that it isn’t as effective in general use-cases. In order to surpass the limits, he had to use Zip64, an extension to the zip format that increases the size of certain header fields to 64 bits, to create a file with more than 281TB of data output. With ZIP64, it is possible to develop a zip bomb of effectively infinite length.
You can find detailed information about making of the zip bomb, what modifications were made to the underlying standard and evaluation of using other compression algorithms besides Deflate on Fifield’s blog here.
Additionally, more information on this new zip-bomb method is expected to be unveiled during the USENIX Workshop on Offensive Technologies (WOOT), which takes place next month.