#85 Trailing Fake EOCD Causes Archive to be Interpreted as Empty in unzip 6.0

[Ronish Bhatt]

Severity: Medium (Integrity / Anti-forensics / Parser Differential)

Affected Software:

• Info-ZIP UnZip 6.0 (confirmed)
• Other ZIP parsers using backward EOCD scanning (Python zipfile also affected)

Summary:
Appending a syntactically valid EOCD record (with zero entries) after the legitimate ZIP archive causes unzip 6.0 to select the fake EOCD during backward scanning.

This results in the archive being interpreted as empty, despite containing valid files.

Impact:

• Silent data integrity corruption
• Archive appears empty in listing tools
• Enables evasion of detection pipelines
• Enables inconsistent interpretation across tools

Technical Details:

• unzip scans backward for EOCD signature
• It does not enforce that EOCD must terminate the archive
• Appended data is treated as valid search space
• First EOCD encountered is accepted without verifying:
• its relation to actual central directory
• file structure consistency

Attack Construction:

1. Create a valid ZIP archive
2. Append arbitrary data after the archive 3. Embed a fake EOCD structure in appended data:
3. zero entries
4. empty central directory
5. Ensure fake EOCD is found before the real EOCD during backward scan

Observed Behavior:

• unzip -l → reports archive as empty
• zipinfo → shows 0 entries
• actual files remain present in archive

Expected Behavior:

• EOCD must be validated against:
• archive size boundaries
• central directory location
• EOCD located outside valid archive region should be rejected

Recommendation:

• Validate EOCD offset and central directory consistency
• Reject EOCD structures found in trailing data beyond archive bounds
• Enforce stricter structural integrity checks

Disclosure Timeline:

• Discovery: 23/03/2026
• Report: 23/03/2026

[Paul Marquess]

Hey Ronish

variations on this issue has been around for a while, but thanks for taking the time to formalise it in a ticket. Last one I heard of was embedding a complete zip file in the trailing zip comment.

A use-case where this could be used is where the unzipping code works in streaming mode and walks the local directory entries in turn without bothering about the Central Dirsctory & EOCD. In that case, the standard commandline tools would think this was a zip file with zero entries, but the streaming unzipper would see things differntly.