Introduction

GNU Zip (GZIP) is a single-file lossless compression format used widely in Unix-like environments, identifiable by the .gz extension. They’re commonly used to compress TAR archives – the result of which is the familiar .tar.gz or “tarball” format.

Unlike most other mainstream compression formats, GZIP is both a file format and a compression tool. This dual role makes it a foundational utility in system workflows and data transfer processes alike, allowing for seamless integration into pipelines where both compression and decompression are handled with a standardized command.

In this article, we’ll explain how GZIP is structured, how it compresses data using the “DEFLATE” algorithm, and why it remains a powerful & widely used tool decades after its introduction to the technology landscape. We’ll also discuss the ways in which GZIP files are commonly abused as a threat vector, and we’ll review how Cloudmersive’s Advanced Virus Scan API mitigates such threats with deep content verification.

GZIP the Format vs. GZIP the Tool

As mentioned before, GZIP functions both as a unique file format and a compression utility.

As a file format, GZIP performs the role of specifying how compressed data is stored – including headers, footers, metadata, etc. It stores data in a single compressed stream using the DEFLATE algorithm, wrapped with a standardized header and footer. These include integrity checks and optional metadata.

The technical specification for GZIP is officially documented in Request for Comments (RFC) 1952, which sets a rigorous standard for how these files are intended to be structured and interpreted (a critical piece in GZIP format validation, which we’ll get to later).

As a compression utility, GZIP allows users to compress and decompress files using the gzip command-line tool. There are several different implementations of this utility, each supporting variations in compression level, speed, and metadata handling.

GZIP’s compression utility is technically limited to compressing a single stream, but it’s often combined with TAR to get around this. TAR makes it possible to archive multiple files before compression takes place.

GZIP File Structure

As a file, we can think of GZIP as a straightforward container format which wraps compressed data with metadata and integrity checks. The format was designed with both simplicity and robustness in mind, which is why it supports only one file (or stream, as we previously called it) per .gz file.

A valid .gz file must always start with a 10-byte header, which includes a magic number (identifying the file as GZIP), a compression method (typically DEFLATE), flags (indicating the presence of optional metadata), and a timestamp (indicating the modification time of the original file).

It must also consist of a body, which contains the DEFLATE-compressed data. The DEFLATE compression method notably combines LZ77 compression with Huffman encoding for lossless data reduction.

Finally, all GZIPs must contain an 8-byte footer at the end of the file. These include a checksum to verify data integrity – and, crucially, the original uncompressed size of the file.

Where We See GZIP Used

More than 30 years after its introduction, GZIP is still widely used for HTTP compression on web servers, software package distribution (especially in Unix/Linux systems), and in data pipelines and backups where powerful stream compression is needed. It’s still a go-to format for lossless compression in text-heavy and archival contexts alike.

GZIP Security and Vulnerabilities

There’s nothing inherently malicious about GZIP files – they’re just simple, well-documented container formats as we’ve outlined above.

They can, however, be exploited in several ways. When weaponized, they're typically used as a wrapper for dangerous content, or malformed to be improperly parsed by security tools.

GZIP Decompression Bombs

Threat actors can craft a seemingly small, innocuous .gz file which expands into gigabytes of data when uncompressed. This can potentially overwhelm memory and/or disk resources, triggering Denial of Service (DoS) conditions. This is one of the most common vulnerabilities involving compressed file formats in general.

Malicious Payloads Hidden via Compression

Compression doubles as a powerful form of code obfuscation. Threat actors can compress all kinds of malicious content – including scripts, executables, or fully fledged documents bearing threats of their own – within .gz files to sneak them past basic content security scanners. These malicious payloads only become identifiable as such after decompression, which means threat detection may only occur after the insecure content has been extracted.

Multi-Member GZIP Files

While we’ve noted that GZIP files technically only support a single stream, that stream can be abused.

'

Multiple compressed streams can be concatenated (combined) in a single file, and if a security tool only scans the first member of that stream, malicious content hidden within later members may go undetected.

Nested GZIP Compression

Recursive compression is an omnipresent threat among most compressed file formats and tools. .gz files can contain other compressed .gz files, and that chain can run incredibly deep. This making parsing .gz content extremely complex, and it gives threat actors the opportunity to bury malicious content deeper than some security tools may be configured to check.

GZIP Threats in the Wild

We’ll look at a fairly recent CVE in this section which highlights one example of a vulnerability exploited with GZIP files.

CVE-2022-37434 was a heap-based buffer overflow vulnerability found in the popular zlib library. This library handles DEFLATE compression, which GZIP uses. Using specially crafted DEFLATE compressed files, remote attackers could trigger out-of-bounds writes during file decompression.

The important takeaway this CVE example is that security tools must decompress and fully analyze the contents of .gz files to ensure they’re safe. That includes scouring all members and layers to avoid missing embedded threats.

Detecting Malicious GZIPs with Cloudmersive

Cloudmersive’s Advanced Virus Scan API identifies issues and threats within GZIP archives using a combination of deep content verification and traditional signature-based virus and malware scanning.

The API unpacks GZIPs (and other compressed file formats) to identify and validate content stored within the archive. When multiple GZIPs are nested, each one is scan recursively to uncover potential hidden threats. When compressed files are opened, each file is subsequently scanned for its own potential threat variations.

Additionally, the Advanced Virus Scan API validates that files bearing the .gz or .tar.gz extension rigorously conform with strict GZIP formatting standards. This roots out intentionally (or unintentionally) malformed GZIP archives capable of exploiting vulnerabilities in downstream parsers.

By combining content verification and traditional malware scanning, Cloudmersive provides comprehensive protection against a multitude of complex threats at once.

Final Thoughts

As both a file format and a compression utility, GZIP has stood the test of time since its release. It offers efficient, reliable compression in countless systems and workflows. With that ubiquity, however, comes implicit risk; attackers at varying levels of sophistication can readily use GZIP files as wrappers for obfuscated threats. Understanding how GZIP is structured, how it stores data, and how it can be abused is a critical part of building secure systems.

To learn more about mitigating GZIP threats with Cloudmersive, please feel free to contact a member of our team.