Decompression Bombs

[Harald Geiger <hgeiger () aerasec de>]

As a followup to
http://lists.netsys.com/pipermail/full-disclosure/2004-January/015420.html
where we pointed out vulnerabilities of some antivirus-gateways
while decompressing bzip2-bombs, we were interested in the behaviour
of various applications that process compressed data.

It looks like not only bzip2 bombs, but also decompression bombs in
general might cause problems. Compression is used in many applications,
but hardly any maximum size limits are checked during the decompression
of untrusted content.

We've created several bombs (bzip2, gzip, zip, mime-embedded bombs,
png and gif graphics, openoffice zip bombs).
With these some more applications like additional antivirus engines,
various web browsers, openoffice.org, and the Gimp have been tested.

As a result, much more applications as we thought crashed. The
manufacturers of Software should be more careful with the processing
of untrusted input.

For details see our full advisory:
http://www.aerasec.de/security/advisories/bzip2bomb-antivirusengines.html

Harald Geiger

--
Harald Geiger                                   Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1
D-85662 Hohenbrunn                          E-Mail: hgeiger () aerasec de
Germany                                Internet: http://www.aerasec.de
PGP/GPG:         http://www.aerasec.de/wir/publickeys/HaraldGeiger.asc




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html