Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Data Storage Software Technology

The Most Clever 'Zip Bomb' Ever Made Explodes a 46MB File To 4.5 Petabytes (vice.com) 102

Programmer and engineer David Fifield has unveiled a brand-new Zip bomb that explodes a 46-megabyte file to 4.5 petabytes of data. Fifield's new type of "Zip bomb" or "compression bomb" is particularly novel because he "figured out how to 'overlap' files inside of a Zip archive, allowing for compression rates far beyond those of a traditional archive," reports Motherboard. From the report: In an email interview, Fifield noted that, while 42.zip (which has a 106 billion-to-one compression ratio and has been hosted on the same single-serving website for at least 15 years) gets much of the attention, he finds later attempts more technically interesting. "eI find 42.zip inspiring on an aesthetic level -- not so much the file itself but the circumstances around it," Fifield said. "It's like folklore. There must have been many examples of the same basic idea, but for whatever reason 42.zip is the one that had staying power."

Fifield noted that part of what makes his process possible was by coming up with ways to handle cyclic redundancy checks, or CRCs, a basic error-correction functionality baked into Zip, PNG, Ethernet, and numerous other technical standards. Messing around with CRC -- 32 checksums, as they're called, was where Fifield said he learned the most. Fifield, who will present his findings at the USENIX Workshop on Offensive Technologies (WOOT) conference next month, noted that while the work itself adds to a history of research and likely will be superseded in the future, its benefit from an awareness standpoint is important.

This discussion has been archived. No new comments can be posted.

The Most Clever 'Zip Bomb' Ever Made Explodes a 46MB File To 4.5 Petabytes

Comments Filter:
  • In other news.... (Score:5, Insightful)

    by Viol8 ( 599362 ) on Thursday July 11, 2019 @05:12AM (#58906780) Homepage

    ... someone discovered that if you have a 4.5 petabyte file filled with the same character everywhere you can shrink it down to a few bytes using run length encoding.

    • /dev/zero to the rescue!
    • In even more news, CRC32 is an error-correction algorithm.

    • Re:In other news.... (Score:4, Interesting)

      by jellomizer ( 103300 ) on Thursday July 11, 2019 @07:40AM (#58907098)

      I did that (In gigabyte size) down to a zip file of a few K. Mainly as part of a tool to test new Disk interfaces in Disk Arrays about a 18 years ago.

      I had a small zip file, which I could put that with a shells script on a floppy disk (which were still common at the time) Then the script found all the mapped drives it then preceded to unzip the file onto different disks, and then it would zip the file up and uncompressed it to the next disk, then compress it. Logging the time it took when it goes full circle. I just compare all the newly formed zip files, and they should be equal. It tested the Read and Write with large data sets on the disk and spotted any problems.

      I never knew it had a name, or it was considered a novel approach.

    • ... someone discovered that if you have a 4.5 petabyte file filled with the same character everywhere you can shrink it down to a few bytes using run length encoding.

      Zip doesn't use RLE.

    • If you are just talking about pure algorithms, you're right.

      The trick is getting the implementation that ZIP uses to get it to work, as there are built-in limitations on file size, various issues with CRC sizing, etc..

  • This is new to me (Score:3, Interesting)

    by Anonymous Coward on Thursday July 11, 2019 @05:12AM (#58906782)

    I've never heard of 42.zip.

    But I have heard of the gzipped googolplex [selenic.com].

    Much smaller download, too...

    • by LordHighExecutioner ( 4245243 ) on Thursday July 11, 2019 @05:45AM (#58906836)
      You can find all you need to know on this site [unforgettable.dk]. Just uncompress the 42.zip file and read carefully the enclosed documentation.
    • Re:This is new to me (Score:4, Interesting)

      by Joce640k ( 829181 ) on Thursday July 11, 2019 @07:14AM (#58907008) Homepage

      Much smaller download, too...

      Yep. The fact that a 46Mb zip file can expand to something big doesn't really strike me as newsworthy.

      • Much smaller download, too...

        Yep. The fact that a 46Mb zip file can expand to something big doesn't really strike me as newsworthy.

        Can you create a zip file with a larger expansion factor?

        • How many zeros can you fit in a 46 MB compressed ZIP file?

        • by Shaitan ( 22585 )

          Why would you when you can just whip up a perl or python script that is smaller and does it? Or better yet, why do it at all?

          • by Anonymous Coward

            To crash anti-virus systems which unzip archives in order to examine them for nefarious gubbins. It was a nice way to take down a mail server about twenty years ago until the server programs got wise and limited the maximum memory for threat detection.

            It's pure malice.

          • Comment removed (Score:5, Insightful)

            by account_deleted ( 4530225 ) on Thursday July 11, 2019 @09:03AM (#58907408)
            Comment removed based on user account deletion
            • and most programmers make assumptions there are reasonable limits to how big such files will be.

              There's no reason to need assumptions. Just do an 'unzip -l' on the file and it will tell you how big the uncompressed files will be. For example, unzipping 42.zip will result in 16 files that are 34902 bytes long. For any working unzip, that is. Any unzip that is automatically recursive is broken.

            • by Wolfrider ( 856 )

              â"The major standalone archivers (winzip, winrar, 7zip, etc) should code their stuff to be able to detect hacks like this (much like the famous bash forkbomb) and refuse to extract the archive, or at least pop up a warning.

          • Both for malicious purposes, and to test software against those who do have malicious purposes. Zip bombs can be used to break things like antivirus scanners, file-browser previewers, any website that accepts files bundled in zip as submissions, document management systems - any software which will automatically decompress zips, really. Unless the programmer specifically thought of this possibility, it might be possible to not just crash the software by exhausting memory or disk space, but the OS as well.

            Th

          • Python? Perl? Do you even dd /dev/null?

  • I mean, starting at 32 floppies it's impossible to keep track
  • Wasn't there an ZIP bomb that was only a few 10s of KB that unzipped indefinitely until a HDD was full without end? Or in the case of FAT32 until you hit 4GB?

  • but for whatever reason 42.zip is the one that had staying power."

    Really? REALLY? You just lost half your "Programmer and engineer" creds there. I suggest you take some time off and enjoy some Vogon poetry.

  • It's like a digital snake pellet: light it and stand the hell back, and do mind the cleanup afterward.

  • Comment removed based on user account deletion
  • Bonus points if you get that reference.

    • Swallowing the Red Pill... Where do I claim my points? And, what are these "points" good for?

    • Bill and Ted's Excellent Adventure?

      Of course I figure you mean Johnny Mnemonic.

      Could be Parenthood, maybe (the grad racing).

      Chain Reaction was good in my opinion.

  • by roc97007 ( 608802 ) on Thursday July 11, 2019 @11:40AM (#58908182) Journal

    4.5 petabytes. Must be Kardashian porn.

    Makes sense it'd shrink to almost nothing.

  • It's no wonder the file is so big!

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...