SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, March 12th, 2026: Zombie Zip;
12 snips
Mar 12, 2026 Discussion of 'Zombie Zip' malformed archives that can hide payloads by mismatching compression indicators. Examination of practical limits and updated tools that try to extract such tricky ZIPs. Coverage of bcrypt's 72-byte truncation problem that can break authentication when salts are handled incorrectly. A note on a simple-git regex bug enabling malicious git parameters and file overwrite risks.
AI Snips
Chapters
Transcript
Episode notes
Zombie Zip Tricks Invalid Compression Flags
- Invalid ZIP entries can hide payloads by claiming 'stored' while containing deflated data, making the archive unreadable to standard tools.
- Johannes Ulrich notes this forces use of custom loaders or updated extraction tools like DDE's utility that ignore the method flag and apply deflate anyway.
Treat Zombie Zip As Curiosity Not Major Threat
- Ignore hype: treat 'Zombie Zip' as a curiosity rather than a widespread practical threat unless you see custom loaders in the wild.
- Use specialized tools like DDE's updated zip utilities to extract payloads when necessary.
Bcrypt 72 Byte Truncation Can Nullify Passwords
- bcrypt only uses the first 72 bytes of input, so long salts prepended to passwords can push the actual password bytes past that limit and nullify the password's effect.
- Johannes Ulrich cites FreshRSS where long prepended salts caused any password to validate because the salt exceeded 72 bytes.