VU#976247: Retraction of "Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed ZIP archives"

Overview

Malformed ZIP headers can be used to obfuscate malicious content in ZIP files from antivirus detection tools. Despite the presence of malformed headers, custom extraction software can decompress the ZIP archive, allowing potentially malicious payloads to be recovered after successful antivirus evasion.

After a review of the researcher’s published PoC and further analysis of the case, we have determined that this issue does not meet the necessary criteria to be considered a vulnerability. The originally reported behavior was based on a misunderstanding of native archive-handling capabilities in common operating systems such as Windows and Linux. It was initially believed that native extraction tools could successfully decompress ZIP files with malformed headers, while EDRs and antivirus security tools would fail. After additional testing, we have determined that extraction is not possible through standard archiving tools, and recovering the payload would instead require a custom loader. Accordingly, this technique can be more accurately described as an obfuscation method, as it does not meaningfully violate any implicit or explicit security boundaries.

Description

ZIP archives contain metadata such as compression method, flags, and version information. Antivirus engines typically rely on this metadata to determine how to preprocess files before scanning. If an attacker modifies the compression-method header field, antivirus software may fail to properly decompress the file and will, therefore, be unable to analyze the actual payload.

After antivirus evasion, the payload can be recovered by using a custom loader that ignores the declared Method field and instead decompresses embedded data directly. This allows an attacker to hide malicious content from antivirus engines while still being able to recover it programmatically.

Notably, standard extraction tools (e.g. 7‑Zip, unzip, bsdtar, Python’s zipfile) trust the declared compression method and attempt decompression but then fail with CRC or “unsupported method” errors. These tools do not extract the payload and do not expose the underlying data.

This vulnerability is similar to VU#968818, CVE-2004-0935 but requires unique unpacking tools to enable any abuse or misuse.

Impact

This ZIP header obfuscation method requires custom tooling to fully recover the concealed malicious content. The impact of this obfuscation technique is limited to systems where other security policies (e.g., running arbitrary unzipping tools) may need to be bypassed to enable such an attack.

Solution

Antivirus and EDR vendors should consider alerting on such behavior to ensure their customers are aware of malformed headers in zip content. Users should not use third-party tools or custom unzip capabilities to allow malicious content to be installed on their systems.

Acknowledgements

Thanks to the reporter, Christopher Aziz. This document was written by Laurie Tyzenhaus.