Bugtraq mailing list archives
RE: Decompression Bombs
From: "Myron Davis" <myrond () xyxx com>
Date: Fri, 6 Feb 2004 23:54:08 -0900 (AKST)
This as far as I know is fairly well known as we had a problem with this a while back (by accident). We put a little check in like this: unzip -l $SANITIZED_ZIP_FILE|tail -n 1|cut -f4 -d' ' then checked the size .. if it was larger then oohh.. 400 megs, then drop it w/ an error for it being too large. easy way to generate a large zip file is to do something like this: dd if=/dev/zero of=testfile count=10000&&gzip testfile&&ls -la testfile should get huge file to test w/ mighty quickly, try sending that to a few virus scanners. Theoretically one could modify a worm to send random zip'd files of zeros along the way to different hosts to really kill the destinations computers. -Myron
Wow, This is a very interesting concept. Any vendor that relies on any decompresion library could be vulnerable. Anything from something like Photoshop to IE to virus scanners. The example files given on the website seem to require a password. Can you provide it? Nice work and thanks! Dave Bachtel IT Intern RealTime Gaming Atlanta, GA - USA 404-459-4263 x139 â¥â£â¦â -----Original Message----- From: Matthias Leu [mailto:mleu () aerasec de] Sent: Tuesday, February 03, 2004 12:04 PM To: bugtraq () securityfocus com Subject: Decompression Bombs As a followup to http://www.securityfocus.com/bid/9393/, where we pointed out vulnerabilities of some antivirus-gateways while decompressing bzip2-bombs, we were interested in the behaviour of various applications that process compressed data. It looks as if not only bzip2 bombs, but also decompression bombs in general might cause problems. Compression is used in many applications, but hardly any maximum size limits are checked during the decompression of untrusted content. We've created several bombs (bzip2, gzip, zip, mime-embedded bombs, png and gif graphics, openoffice zip bombs). With these we tested some more applications like additional antivirus engines, various web browsers, openoffice.org, and the Gimp. As a result, much more applications as we thought crashed. The manufacturers of software should care more about the processing of untrusted input. For details see our full advisory, written by Dr. Peter Bieringer: http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html Best regards, Dr. Matthias Leu -- AERAsec Network Services and Security GmbH Wagenberger Strasse 1 D-85662 Hohenbrunn, Germany http://www.aerasec.de
Current thread:
- Decompression Bombs Matthias Leu (Feb 03)
- <Possible follow-ups>
- RE: Decompression Bombs David Bachtel (Feb 06)
- RE: Decompression Bombs Myron Davis (Feb 09)
- Re: Decompression Bombs Brian Dessent (Feb 09)
- Re: Decompression Bombs Myron Davis (Feb 11)
- Re: Decompression Bombs Chris Green (Feb 09)
- RE: Decompression Bombs Myron Davis (Feb 09)
- RE: Decompression Bombs SBNelson (Feb 09)
- Re: Decompression Bombs Bipin Gautam . (Feb 11)