A quick post today just to let you know my little adventure with password protected zip files.
What do you use to extract .zip files? I’m pretty sure almost all the readers out there are using an external software like Winzip. I prefer to use 7-Zip, but Windows can extract zip archieve too. I use the Windows internal extractor when I’m running XP under a virtual machine. Some days ago I became aware of a strange behaviour extracting a series of protected zip files in sequence: the system doesn’t ask for the password.
I was extracting some malwares in sequence, all of them downloaded from the same site and all of them with the same password. I was asked to write the password for the first opened file only. Knowing that it’s possible to guess why it does happen. The light didn’t appear over my head and I spent some time looking at zipfldr.dll (the system uses this dll to handle zip protected files). Anyway, do you have a reasonable answer?
Well, to answer the question is pretty easy because the zip password remains in memory. What does it mean?
When you extract one or more file from a zip protected archieve a dialog appears asking you to insert the right password. You put the right password inside the box and all the files are extracted. When you perform the same operation with a new zip file the system repeats the same operations, but it firstly tries to use the old password with the new archieve. If the password is wrong the dialog box appears otherwise it uses the password which is stored somewhere inside the dll (0x7332757C under XP-sp1/sp3). The code inside the dll doesn’t delete the password when the file(s) is fully extracted.
Is it somehow dangerous?
As I said before only few are using the internal extractor so I think it’s not such a dangerous behaviour. However, it’s possible to steal zip password accessing a public computer. The path of the last opened zip file remains in memory too (not inside a static address value btw) and a quick scan of the memory could be enough to retrieve a valid file/password combination.