Usermode Archive Sandbox: ZipJail

ID N0WHERE:113071
Type n0where
Reporter N0where
Modified 2016-09-04T21:21:38


Usermode Archive Sandbox

ZipJail is a usermode sandbox for unpacking archives using the unzip , rar , 7z , and unace utilities. Through the use of the tracy library it limits the attack surfaces to an absolute minimum in case a malicious archive tries to exploit known or unknown vulnerabilities in said archive tools.


The zipjail command itself requires two parameters followed by the command that should be executed and jailed (i.e., sandboxed). The two parameters belonging to zipjail define the filepath to the archive and the output directory to which file writes should be restricted.

$ zipjail
zipjail 0.1 - safe unpacking of potentially unsafe archives.
Copyright (C) 2016, Jurriaan Bremer <>.
Based on Tracy by Merlijn Wajer and Bas Weelinck.

Usage: zipjail <input> <output> [-v] <command...>
  input:   input archive file
  output:  directory to extract files to
  verbose: some verbosity

Please refer to the README for the exact usage.

Following we will demonstrate zipjail ‘s usage based on an input file called and the output directory /tmp/unpacked/ .


In order to run zipjail with unzip the command-line should be constructed as follows.

$ zipjail /tmp/unpacked unzip -o -d /tmp/unpacked


Just like for the 7z command we require setting the multithreaded count for the rar command. It should be noted that unrar version 5.00 beta 8 does not support the multithreaded option and thus zipjail is not capable of running with that version. So far we have only tested that zipjail works with rar version 4.20 . Its usage is as follows.

$ zipjail file.rar /tmp/unpacked rar x -mt1 file.rar /tmp/unpacked


Running zipjail with 7z may be done as follows. Note that we pass along the -mmt=off option which disables multithreaded decompression for bzip2 targets. By keeping zipjail ‘s sandboxing single-threaded we keep its logic easy and secure (using multithreading race conditions would be fairly trivial). In fact, as per our unittests, trying to instantiate multithreading (e.g., through pthread , which internally invokes the clone(2) system call) is blocked completely. (Also note that the directory provided to 7z ‘s -o parameter should be added right away without additional whitespaces).

$ zipjail file.7z /tmp/unpacked 7z x -mmt=off -o/tmp/unpacked file.7z


Another utility, another command-line. This time, for unace , which handles .ace files, the command-line is fairly straightforward except for the input file path and the directory path that are passed along. The file path must be an absolute path and the directory path needs to be slash-terminated, i.e., the path should finish off with a forward slash.

$ zipjail /tmp/file.ace /tmp/unpacked unace x /tmp/file.ace /tmp/unpacked/

It should be noted that only unace version 2.5 is supported as the older versions don’t support either the command-line arguments or the .ace samples that are actually being used in-the-wild. Installing this particular version may be done through sudo apt install unace-nonfree .

Usermode Archive Sandbox: ZipJail Download