Home / server / Questions / 822202
Accepted
Xavin
Asked: 2016-12-23 00:49:54 +0800 CST

Are zipped EXE files harmless for Linux servers?

  • 772

I ran a malware scanner on my site, and it marked a bunch of zipped EXE files as potential risk files (these files got uploaded by users). Since I'm able to uncompress the files on my Mac I assume these are real ZIP files and not just something like renamed PHP files.

So the ZIP file shouldn't be any risk for my web server, right?

anti-virus malware security

8 Answers

  1. Best Answer

    If they are indeed zipped Windows exe files, they should be harmless to your Linux system, unless you have something like Wine in place that could try to execute them.

    But if they are in your web path, they could be malware and pose a big risk for your web sites' visitors (and you in turn, if you end up being marked as malware source and users get ugly warnings when they try to visit your site).

    • 83

  2. Since I'm able to uncompress the files on my mac I assume these are real zip files and not just something like renamed php files.

    While you're probably right in this case, your assumption might not always hold. A ZIP archive remains valid even if you prepend arbitrary data to it, so it's quite possible to create a file that is simultaneously a valid ZIP archive containing innocent data and also a malicious PHP script. It's not even particularly hard; just concatenate the PHP code and the ZIP file, and make sure (e.g. using __halt_compiler()) that PHP won't try to parse the appended ZIP archive data.

    This trick is legitimately used to create self-extracting ZIP files, but it's perfectly possible to prepend any other hidden data or executable code into a ZIP file in the same way. Some programs may refuse to open such modified ZIP files (but if so, they're technically violating the ZIP format spec), or they may identify the file as something other than a ZIP file by default, but generally, if you feed such a file into code that expects a ZIP file, it will probably be accepted as one.

    A more common malicious use of such tricks is to disguise exploit code in a ZIP-based container (e.g. a JAR file) as something harmless (like a GIF image, as in the GIFAR exploit), but there's no reason it couldn't be used in the other direction too, e.g. to bypass a naïve file upload filter that forbids uploading PHP scripts but allows ZIP files, without checking if the uploaded file might be both at the same time.

    • 62

  3. There are at least two notable considerations you should take into account:

    1. If these files are distributed on your website, you might be held responsible if someone gets malware from your site. In the very least your site could be flagged for malware. If you decide to ignore malware scanner warnings, you should at least notify the uploader and possible downloaders that the file might be harmful (as EXEs downloaded from the Internet sometimes are).
    2. Do you do any processing on these files other than the malware scan? Automatic processing of attachments or other such uploads is always potentially dangerous, because the file contents could be anything. You don't even need to execute the EXE file if your utility software is vulnerable to some exploit and the seemingly nice zip/exe contains harmful content targeting your utility. I wouldn't let my server process anything that fails malware scanning.

    So, depending on what your server does the file could potentially be harmful for your server or other users. Since I'm quite wary of EXEs downloaded from the Internet, I'd say that possible downloaders are the most potential users at risk here.

    • 11

  4. You can check if the files happen to be runnable on your Linux server by simply checking them with file FILENAME.exe command. Elf binaries (the executable format used on Linux) can be named with .exe extension to confuse an unsuspecting Linux admin, so it's probably a good idea to make that check before blindly trusting that these files are not runnable.

    • 2

  5. I'm surprised that no one mentioned that any data can happen to be (or be made to be) harmful to any (buggy) program. That's the basis of fuzzying. For example, you could have a JPEG (or JPEG-like) file that cause a buffer overflow on (specific?) JPEG decoders, causing anything from a denial of service to arbitrary code execution. This is about subverting an existing data-processing program; no need to bring in a new executable! And this is the reason why sandboxing, input sanitization and least-privilege principles are needed.

    So, in your case, you could have a ZIP file causing problems on (specific?) ZIP-decoding engines. No need for the ZIP file to contain a native executable for it to be harmful.

    Having said that, your scanner is working at another, coarser level. If the kind of risk I'm talking about existed in those files, you already got hit the moment you processed them :).

    • 2

  6. Since I'm able to uncompress the files on my Mac I assume these are real ZIP files and not just something like renamed PHP files.

    There have been attacks that embed data and still present files as valid. In a incorrectly configured server or in a incorrectly coded app, these could cause code to be executed in your server.

    So, careful with that as well.

    • 1

  7. An additional check you ideally should put in place is the php finfo method to check if the files being uploaded by the users are actually what you allowed, and not something that the users renamed the files just to fool the system.

    • 0

  8. Unzipped .exe are also harmless for Linux servers.

    • -6