Re: BZIP2 bomb question

["Gregh" <chows () ozemail com au>]

----- Original Message -----
From: "Alex Shipp" <ashipp () messagelabs com>
To: <full-disclosure () lists netsys com>
Sent: Tuesday, January 13, 2004 8:36 AM
Subject: Re: [Full-disclosure] BZIP2 bomb question


> > ----- Original Message -----
> > From: "Gregh" <chows () ozemail com au>
>
> > Please note I am not a good programmer here but here goes:
> >
> > I am wondering why, for those who HAVE to auto unpack, a script cannot be
> > written which, upon receipt of an archive of any sort, inspects it for,
as
> > an example, 100K of the same character repeated (keeping in mind that the
> > NULL character, chr$(7) etc have all been used for compressed bombs) and
if
> > there *IS* such a file, move the file to some safe location for later
> manual
> > inspection and if not, allow automatic unpacking etc.
>
> Ignoring lots of technical details (!) this can indeed be done, and can be
> used
> along with lots of other heuristics to defend against compressed bombs.
>
> There are implementaions that already do this.

Then perhaps the people still falling foul of the bombs might be helped out
by a few URLS here if you wouldn't mind? It just seemed a little strange to
me that an archive cant be inspected before being operated on. Thanks for
the answer!

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html