As a security expert, I am always on the lookout for vulnerabilities that can be exploited to gain unauthorized access to sensitive data. Recently, I received a report that claimed that a password-protected ZIP file could be accessed by an attacker by following these steps:
1. Start with a password-protected ZIP file, call it “secret.zip”.
2. Create a dummy ZIP file and give it the same password. Call this file “attack”.
3. Open “attack.zip” in Explorer.
4. Enter the password when prompted.
5. Close “attack.zip”.
6. Copy the “secret.zip” file on top of the “dummy attack.zip” file.
7. Open “attack.zip” (which is now a copy of “secret.zip”).
8. Observe that Explorer opens the impostor ZIP file without asking for a password. You have obtained unauthorized access to the “secret.zip” password-protected ZIP file.
Now, let’s delve deeper into the attack method and the reasoning behind it:
The attacker is likely a user who created the “attack.zip” ZIP file and is attempting to use a clever trick to gain unauthorized access to the password-protected file “secret.zip”. Here
A security vulnerability report arrived that claimed that it could obtain unauthorized access to a password-protected ZIP file by the following means:
- Start with a password-protected ZIP file, call it “secret.zip”.
- Create a dummy ZIP file and give it the same password. Call this file “attack”.
- Open attack.zip in Explorer.
- Enter the password when prompted.
- Close attack.zip.
- Copy the secret.zip file on top of the dummy attack.zip file.
- Open “attack.zip” (which is now a copy of secret.zip).
- Observe that Explorer opens the impostor ZIP file without asking for a password. You have obtained unauthorized access to the secret.zip password-protected ZIP file.
As usual, we have to look at who the attacker is, who the victim is, and what the attacker has gained.
The attacker is, I guess, the user who is creating the attack.zip ZIP file and doing the fancy swap-in.
The victim is, I think, the person who created the original password-protected ZIP file “secret.zip”.
And what the attacker gained is access to a password-protected ZIP.
Wait a second, but in order for this trick to work, the attacker must already know the password to the secret.zip ZIP file, because they need to use that same password for the attack.zip ZIP file.
So what the attacker gained is “access to a password-protected ZIP file that they know the password to”, which is not really much of a gain at all. They could have done this in a much simpler way:
- Open secret.zip.
- Enter the password when prompted.
Explorer caches passwords for ZIP files to avoid having to bug the user for the password each time it goes back to the ZIP file.¹ For example, if the ZIP file is open in an Explorer window, and then you extract a file from the ZIP, then the ZIP file needs to be reopened to find that file and extract it. Before asking you for the password, it uses the password you used to open the ZIP file originally, and if that works, then the operation continues without needing to prompt again. It would be super-annoying if you had to re-enter the password for each file you extracted from a ZIP file.
“Bu why does it try the password even when it’s a different ZIP file?”
Well, what exactly is “a different ZIP file”?
If you define it as “A file with the same name but a different last-modified timestamp or with different contents is a different ZIP file”, then it means that any time you modify a password-protected ZIP file (say, to delete a file from it), you will have to re-enter the password. That seems wrong.
The finder here seems to mean that there is some metaphysical concept of “identity” that is broader than “files are byte-for-byte identical” (because they presumably want the password to be remembered even if, say, a single file is removed from the ZIP file), yet more strict than “a file is created” (because they want “overwriting the bytes of one file with the bytes of another file” to change the identity).
Now you’re dealing with some sort of Ship of Theseus thought experiment: Suppose the original file is modified one byte at a time until it matches the replacement file. At what point does it stop being the original file and start being the replacement?
Windows isn’t going to try to solve a philosophical conundrum from ancient Greece.
Windows uses the simple rule that if it has the same path, then it’s worth trying the same password.
But it’s just trying the password you already gave it. It did not magically determine the password for the file. If the password you gave it is incorrect, then Windows will prompt for the password. The only way you can gain access to the ZIP file is if you provide the password.
¹ The cache has session lifetime, so all of these cached ZIP passwords are forgotten when you sign out.
The post Dubious security vulnerability: Remembering passwords for recently-opened ZIP files appeared first on The Old New Thing.
