Techly NewsGet the app

Get the latest tech news

My ZIP isn't your ZIP: Identifying and exploiting semantic gaps between parsers


Yufan You, Tsinghua University; Jianjun Chen, Tsinghua University; Zhongguancun Laboratory; Qi Wang, Tsinghua University; Haixin Duan, Tsinghua University; Zhongguancun Laboratory Distinguished Paper Award Winner ZIP is one of the most popular archive formats. It is used not only as archive files, but also as the container for other file formats, including office documents, Android applications, Java archives, and many more.

In this paper, we developed a differential fuzzer ZipDiff and systematically identified parsing inconsistencies between 50 ZIP parsers across 19 programming languages. We demonstrate five real-world scenarios where these parsing ambiguities can be exploited, including bypassing secure email gateways, spoofing office document content, impersonating VS Code extensions, and tampering with signed nested JAR files while still passing Spring Boot's signature verification. We responsibly reported the vulnerabilities to the affected vendors and received positive feedback, including bounty rewards from Gmail, Coremail, and Zoho, and three CVEs from Go, LibreOffice, and Spring Boot.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of zip

zip

Photo of parsers

parsers

Photo of semantic gaps

semantic gaps

Related news:

News photo

Dear String-to-Integer Parsers

News photo

7-Zip for Windows can now use more than 64 CPU threads for compression

News photo

7-Zip 25.00

« After Tea Leak, 33,000 Women's Addresses Were Purportedly Mapped on Google Maps
2.5B Gmail users endangered after Google database hack »