Full Disclosure mailing list archives

Re: BZIP2 bomb question

From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Tue, 13 Jan 2004 11:07:33 +0100

--On Dienstag, 13. Januar 2004 07:35 +1100 Gregh <chows () ozemail com au>wrote:

Please note I am not a good programmer here but here goes:

I am wondering why, for those who HAVE to auto unpack, a script cannot be
written which, upon receipt of an archive of any sort, inspects it for, as
an example, 100K of the same character repeated (keeping in mind that the
NULL character, chr$(7) etc have all been used for compressed bombs) and
if there *IS* such a file, move the file to some safe location for later
manual inspection and if not, allow automatic unpacking etc.

Surely this would be a 5 minute script for SOMEONE who knows how to do it
well? Even if it wont work on receipt of compressed archives, it could be
a timed even to happen, say 10 minutes before the actual auto unpacking
is to occur if that is done at a particular time.

I used to be a "dabbler" programmer on a machine back in the 80s where we
used to have this same sort of problem and because the services provided
could not be interrupted, the above was how I got around it.

As Ralf Hildebrandt and another guy told me, using AV scanners withamavisd-new framework and let amavisd-new decompress the files beforetriggering the AV scanners, this would be a solution.


existing amavisd-new options:

# Maximum recursion level for extraction/decoding (0 or undef disableslimit)

$MAXLEVELS = 14;                # (default is undef, no limit)

# Maximum number of extracted files (0 or undef disables the limit)
$MAXFILES = 1500;               # (default is undef, no limit)

$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, notenforced)$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, notenforced)$MIN_EXPANSION_FACTOR = 5; # times original mail size (must bespecified)$MAX_EXPANSION_FACTOR = 500; # times original mail size (must bespecified)



        Peter
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer () aerasec de
Germany                                Internet: http://www.aerasec.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

BZIP2 bomb question Gregh (Jan 12)
- RE: BZIP2 bomb question Alexander Veit (Jan 12)
- Re: BZIP2 bomb question Alex Shipp (Jan 12)
  - Re: BZIP2 bomb question Gregh (Jan 13)
- RE: BZIP2 bomb question Steve Wray (Jan 12)
- Re: BZIP2 bomb question Dr. Peter Bieringer (Jan 13)