Zip Bombs II: Quine Bombs

In last week’s post I introduced the zip bombs and explained how to create a zip bomb using the recursion technique. I recommend that you take a look at it if you haven’t already done so. 

In this new entry I’m going to introduce the Quine Bombs. 

Quine Programs

In computing, a “quine” program is a program that replicates itself. In other words, a program whose source code generates its own source code as output. This is not easy to achieve. Let’s see an example.

If we execute print(1) in python, the output would be 1. We need the output to be the same as the input, in this case print(1). If we introduce as input print(“print(1)”), then we would get print(1) as output. But the input has changed, so we still don’t get it to replicate.

After giving it several turns, at the end you can do it playing with the recursion:

Quick explanation: I create a variable called lethani, which contains the text “print(‘lethani = ‘, repr(lethani)); print(lethani)”. Then I print the text ‘lethani = ‘ and the variable lethani between quotation marks (this is done by the repr function). Finally, I print the variable lethani.

But beyond being something entertaining, in principle it is not very useful in hacking. Or is it?

Quine Zips

Imagine that based on this logic, we got a zip that when unzipped generates the same zip. This is a bomb zip quine. If a recursive decompression were made, the system would decompress the zip, and when finding a new zip would try to decompress it, but this would generate a new zip that again would try to decompress … Thus in an infinite loop in which the system would never finish decompressing.

To consider doing this you have to understand how the zip decompression works, which is based on the LZ77 decompression. In this type of decompression two commands are used:

  • print M: prints the following M input lines. These lines will not be executed.
  • repeat M N: repeats the last M lines of the output, starting from the Nth line at the end.

It’s a bit confusing to understand at first, here are two examples explained how it works:

La izquierda es el input, la derecha el output. print 2 hace que las siguientes dos líneas, print 3 y print 4 se impriman en el output. Estas lineas no se ejecutan, asi que pasamos a repeat 1 1, que imprime en el output una línea empezando por la última línea del output, print 4.

The left is the input, the right is the output. print 2 causes the next two lines, print 3 and print 4 to be printed on the output. These lines are not executed, so we go to repeat 1 1, which prints in the output a line starting with the last line of the output, print 4.

En este segundo caso, print 0 imprime 0 lineas (es equivalente a la instrucción NOP), a continuación con print 2 se imprimen las siguientes dos líneas, print 1 y print 2, y por último se hace un repeat 3 2, por lo que se imprimen 3 líneas empezando por la penúltima del output. En ese momento en el output solo está el print 1 y el print 2, por lo que empezaría imprimiendo el print 1 (la penúltima del output), y como es también la primera línea de código del output y ya no hay más por encima, se pasa a imprimir la última línea del output, con lo que a continuación imprime el print 2, y de nuevo el print 1.

In this second case, print 0 prints 0 lines (it is equivalent to the NOP instruction), then print 2 prints the next two lines, print 1 and print 2, and finally makes a repeat 3 2, so they print 3 lines starting from the penultimate of the output. At that moment in the output there is only print 1 and print 2, so it would start printing print 1 (the penultimate of the output), and as it is also the first line of code of the output and there is no more above, it starts to print the last line of the output, which then prints print 2, and print 1 again.

If we manage to make a quine program using these two commands, then we can make a zip quine. To test it, I have found this website, with an interactive shell. I recommend you to visit it and try to make the program yourself. I got it this way after a while:

It is possible to make a quine program with these instructions. Therefore, it is possible to make a zip quine. However, translating from this pseudo-language to the one Zip uses is not an easy task, and requires a high level of programming. If you want more information about it, you can consult this post by Russ Cox, and look at this source code in Go that generates the zip quine.

Finally, from here you can download a copy of a zip that when unzipped generates itself.

However, these two methods of zip bombs that we have seen are actually well known by antivirus and operating systems, since they were discovered many years ago. Therefore, nowadays programs do not automatically decompress recursive folders, but decompress to a certain depth limit that is indicated in the configuration. The same applies to antivirus software. Therefore, these methods are not very effective if the scope of the attack are normal users who are going to decompress it with decompression programs like winRAR or 7zip.

But recently David Fifield has released a new way of making a zip bomb never seen before by overlapping files, which I will analyze next week in the third and last entry of zip bombs.

Lethani.

This Post Has One Comment

Leave a Reply