Full Disclosure mailing list archives
Re: BZIP2 bomb question
From: "Gregh" <chows () ozemail com au>
Date: Tue, 13 Jan 2004 23:24:52 +1100
----- Original Message ----- From: "Alex Shipp" <ashipp () messagelabs com> To: <full-disclosure () lists netsys com> Sent: Tuesday, January 13, 2004 8:36 AM Subject: Re: [Full-disclosure] BZIP2 bomb question
----- Original Message ----- From: "Gregh" <chows () ozemail com au>Please note I am not a good programmer here but here goes: I am wondering why, for those who HAVE to auto unpack, a script cannot be written which, upon receipt of an archive of any sort, inspects it for,
as
an example, 100K of the same character repeated (keeping in mind that the NULL character, chr$(7) etc have all been used for compressed bombs) and
if
there *IS* such a file, move the file to some safe location for latermanualinspection and if not, allow automatic unpacking etc.Ignoring lots of technical details (!) this can indeed be done, and can be used along with lots of other heuristics to defend against compressed bombs. There are implementaions that already do this.
Then perhaps the people still falling foul of the bombs might be helped out by a few URLS here if you wouldn't mind? It just seemed a little strange to me that an archive cant be inspected before being operated on. Thanks for the answer! Greg. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- BZIP2 bomb question Gregh (Jan 12)
- RE: BZIP2 bomb question Alexander Veit (Jan 12)
- Re: BZIP2 bomb question Alex Shipp (Jan 12)
- Re: BZIP2 bomb question Gregh (Jan 13)
- RE: BZIP2 bomb question Steve Wray (Jan 12)
- Re: BZIP2 bomb question Dr. Peter Bieringer (Jan 13)