Full Disclosure mailing list archives
RE: bzip2 bombs still causes problems in antivirus-software
From: Steve Wray <steve.wray () paradise net nz>
Date: Sat, 10 Jan 2004 14:42:29 +1300
It would probably be a good idea to implement ulimit restrictions on the user that the software runs as. I had awful problems with the syntax on that sentence, but I am sure you will know what it means. :) Also you should be aware that the software doesn't automatically clear the leftovers out of the filesystem. One suggestion I've heard is to put the directory where the zip files get unpacked for software forensics & antivirus detection be on tmpfs or some such. That way, after a reboot its guaranteed to not be there. Or something like that. (my favorite sentence)
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Dr. Peter Bieringer Sent: Saturday, 10 January 2004 6:38 To: full-disclosure () lists netsys com; bugtraq () securityfocus com Subject: [Full-disclosure] bzip2 bombs still causes problems in antivirus-software Hi, sure you remember the e-mail from Steve Wray in August 2003 about bzip2 bombs and the possible DoS against antivirus-software: http://lists.netsys.com/pipermail/full-disclosure/2003-August/ 009255.html We found that this is still an issue, especially we found that one vendor detects bzip2 bombs by pattern (2 GB of zeros are detected, but not 2 GB of e.g. 0x31). Also others will neither detect the bomb, nor stopping decompression, looks like they missing smart code for anomaly detection and/or proper limits and eat all existing disk space and CPU power instead of reporting a problem. Namely we confirm this issue still exists on: * kavscanner of Kaspersky AntiVirus for Linux 5.0.1.0 (probably all versions since 4.5) * vscan of Trend Micro InterScan VirusWall 3.8 Build 1130 * uvscan of McAfee Virus Scan for Linux v4.16.0 Probably other versions and products are vulnerable, too. Full advisory is available here:
http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines .txt Hope this helps to bring this issue up again on software vendors to implement more smarter anomaly detection code and configurable limits (number of files, max size) in the decompression unit. Regards, Dr. Peter Bieringer -- Dr. Peter Bieringer Phone: +49-8102-895190 AERAsec Network Services and Security GmbH Fax: +49-8102-895199 Wagenberger Straße 1 Mobile: +49-174-9015046 D-85662 Hohenbrunn E-Mail: pbieringer () aerasec de Germany Internet: http://www.aerasec.de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- bzip2 bombs still causes problems in antivirus-software Dr. Peter Bieringer (Jan 09)
- RE: bzip2 bombs still causes problems in antivirus-software Steve Wray (Jan 09)
- Re: bzip2 bombs still causes problems in antivirus-software Dr. Peter Bieringer (Jan 10)
- RE: Re: bzip2 bombs still causes problems in antivirus-software Steve Wray (Jan 10)
- RE: Re: bzip2 bombs still causes problems in antivirus-software Dr. Peter Bieringer (Jan 12)
- Re: bzip2 bombs still causes problems in antivirus-software Dr. Peter Bieringer (Jan 10)
- RE: bzip2 bombs still causes problems in antivirus-software Steve Wray (Jan 09)
- Re: bzip2 bombs still causes problems in antivirus-software...probably zip, too Dr. Peter Bieringer (Jan 12)