Vulnerability Development mailing list archives

RE: Antivirus scanner DoS with zip archives

From: "Damage" <dam.age () ntlworld com>
Date: Mon, 18 Jun 2001 18:53:35 +0100

Sophos eats CPU with large compressed files when intercheck examines a file
(the file emvt30 from Microsoft's d/l killed my 800 athlon on a 4 disk IDE
s/w stripe (NT4)and 384Meg for 10's of minutes - I gave up and killed it
eventually, but that was hard going too!)

John Haines

-----Original Message-----
From: Michel Arboi [mailto:arboi () yahoo com]
Sent: 17 June 2001 23:11
To: VULN-DEV () SECURITYFOCUS COM
Subject: Antivirus scanner DoS with zip archives


Some time ago, MimeSweeper could be killed in a rather simple way:
Compress with zip a 1 GB file filled with zeros, and attach the 1MB (*)
result to an e-mail. MimeSweeper tried to allocate 1 GB of memory and
died.
(*) The maximum compressing ratio with the Zip algorithm is ~ 1:1000

This bug is supposed to be fixed in the last versions (I did not
check).

    ********

Instead of trying to eat all the memory, we could try to eat the CPU
like this:

<stuff deleted>

Current thread:

Antivirus scanner DoS with zip archives Michel Arboi (Jun 18)
- RE: Antivirus scanner DoS with zip archives Damage (Jun 18)
  - RE: Antivirus scanner DoS with zip archives Michel Arboi (Jun 19)
- Re: Antivirus scanner DoS with zip archives Ron DuFresne (Jun 18)
  - Re: Antivirus scanner DoS with zip archives Markus 'FvD' Weber (Jun 19)
    - Re: Antivirus scanner DoS with zip archives Michel Arboi (Jun 20)
    - Re: Antivirus scanner DoS with zip archives Robert Davidson Security (Jun 21)
    - Re: Antivirus scanner DoS with zip archives Aycan Irican (Jun 23)
    - Re: Antivirus scanner DoS with zip archives bill_weiss (Jun 24)
    - Re: Antivirus scanner DoS with zip archives Aycan Irican (Jun 24)
  - Re: Antivirus scanner DoS with zip archives Michel Arboi (Jun 19)
  - Re: Antivirus scanner DoS with zip archives Michel Arboi (Jun 21)

(Thread continues...)