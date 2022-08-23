It is not uncommon to find documents or software distributed over the Internet using files ZIP (compressed) password protected: not only do we avoid having to attach multiple files separately, but we also add an extra layer of security to prevent unwanted glances at your content.

Imagine the surprise when someone discovers that this password is not the only way to open the ZIP fileaccording to Arseniy Sharoglazov, a cybersecurity researcher at Positive Technologies.

And it is that Sharoglazov has shown that it is possible for an encrypted ZIP file to be opened using two different passwords: firstly, the one specified by its creator… but also another one. The existence of the latter can be attributed to the existence of a theoretical vulnerability (or, at least, of an unexpected behavior) hitherto unknown of this class of ZIP files.

If your password is too long, the ZIP saves something else (and bundles it)

concretely, this vulnerability surfaces when the creator of the ZIP file sets a long password of 64 characters or more. In these cases, if the compression application is enabled in AES-256 mode when setting the ZIP password, it makes use of a PBKDF2 algorithm that hashes the password.

That is, it creates an ASCII code of the SHA-1 hash of the password that we have established. This is because the mentioned algorithm makes use of 64-bit blocksso it cannot directly handle a larger password.

Then, when the user tries to extract the contents of the ZIP again, the password that the user enters will be hashed again and compared to the preset password hash. If there is a match, the file will be extracted without problems.

But, if the comparison is made using the hash, and not directly the original password…It would not mean that we can also enter said hash as a passwordeven if it looks nothing like the original key?

Sharoglazov demonstrated by planting an experiment: he created a file ‘X.ZIP‘ protected and specified a password—specifically “Nev1r-G0nna-G2ve-Y8u-Up-N5v1r-G1nna-Let-Y4u-D1wn-N8v4r-G5nna-D0sert-You“, a tribute to Rick Astley’s ‘Never Gonna Give You Up’—; after that, proceeded to re-extract the archive using a totally different combination —“pkH8a0AqNbHcdw8GrmSp“— without displaying any error.

🫢 Backdoor password in a ZIP! 1⃣ Create ZIP: 7z a https://t.co/og163C1Q2U /etc/passwd -mem=AES256 -p

Use this pwd: Nev1r-G0nna-G2ve-Y8u-Up-N5v1r-G1nna-Let-Y4u-D1wn-N8v4r-G5nna-D0sert-You 2⃣ Unpack it: 7z e https://t.co/og163C1Q2U

Use this pwd: pkH8a0AqNbHcdw8GrmSp 😅 Magic! pic.twitter.com/HkWV5AOby6 — Arseniy Sharoglazov (@_mohemiv) August 20, 2022

Is it something serious that ZIP files with password behave like this? Well, when it comes to security, not too much, because “it is necessary to know the original password to generate a hash of said password”, as Sharoglazov explains. And that takes away all value when it comes to making it easier for a third party to ‘break’ the security of our compressed files.

Via | bleeping computer

Image | FREE-VECTORS.NET