Full Disclosure mailing list archives
RE: BZIP2 bomb question
From: "Alexander Veit" <list () nezwerg de>
Date: Mon, 12 Jan 2004 23:15:53 +0100
Hi Greg,
[...] I am wondering why, for those who HAVE to auto unpack, a script cannot be written which, upon receipt of an archive of any sort, inspects it for, as an example, 100K of the same character repeated (keeping in mind that the NULL character, chr$(7) etc have all been used for compressed bombs) and if there *IS* such a file, move the file to some safe location for later manual inspection and if not, allow automatic unpacking etc. [...]
A safe detection of a such bombs by inspecting the stream of uncompressed data seems impractical, since repeating patterns may consist of more than one byte. A better criterion may be the ratio of the size of currently uncompressed data and the total archive size. This number should not exceed a reasonable value. -- Regards, Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- BZIP2 bomb question Gregh (Jan 12)
- RE: BZIP2 bomb question Alexander Veit (Jan 12)
- Re: BZIP2 bomb question Alex Shipp (Jan 12)
- Re: BZIP2 bomb question Gregh (Jan 13)
- RE: BZIP2 bomb question Steve Wray (Jan 12)
- Re: BZIP2 bomb question Dr. Peter Bieringer (Jan 13)