Re: Multiple Antivirus Scanners DoS attack. [summery]

[npguy <npguy () websurfer com np>]

well The advisory makes no details and seems to be very naive touch.

On Monday 14 June 2004 02:13 pm, bipin gautam wrote:
> Multiple Antivirus Scanners DoS attack.

> * F-Prot 4.4.2 for Linux

linux F-Prot  work perfectly well. Test before you make claims.

> * Rav Antivirus online Scanner [Couldn't complete the
> scan...]
>
> * Windows Xp default ZIP manager [report's wrong size
> of compress ZIP files.]

if you mess with headers any compression API tells you 
the same wrong size. Check zlib, infoZip, rar, arj.  

There is no way to get detect these changes. Checking each file integrity 
against the header info will take significiant anount of time. Anyway like 
WinZIP the extraction routine seek file content until the the next header 
stats.  So that the altered file size will not able to fool the routine i.e 
Design Error.  

I believe the this is also related with the same problem of WinRAR and it is 
also the same design error i believe. It trust the header info and start 
extracting the files.  

> --- [Details] ---
> While having a manual scan of compressed files;
> several Antivirus, Trojan, Spy ware scanners suffer a
> DoS attack if the software tries to completely extract
> the archive and scan its content for a hostile file.

Those using infoZip and zlib  library or even WinZIP as external extractor,  
won't suffer from this problem.  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html