Full Disclosure mailing list archives
Re: Antivirus/Trojan/Spyware scanners DoS [summary]
From: bipin gautam <visitbipin () yahoo com>
Date: Sat, 19 Jun 2004 07:45:56 -0700 (PDT)
you donot have complete picture and you incomplete
research is
just making everyone confused.
Well, i've submitted a proof of concept. I wonder why are yo so intrested about the 'how to...' in detail. " Most of the ppl. out here know it anyway. I don't have resources to test each and every AV scanners, so i asked help to the FD community to help me out.
i better like to take reference from the old advisory that gives atleast clear
background
http://www.rapid7.com/advisories/R7-0004/index.html about calm check "manager.c" of clam 0.15 242 if(strbcasestr(filename, ".zip")) { 243 char *args[] = { "unzip", "-P",
"clam", "-o", (char *)
filename, NULL }; 244 if((userprg = getargl(opt, "unzip"))) 245 ret = clamav_unpack(userprg,
args, tmpdir, user, opt);
246 else 247 ret = clamav_unpack("unzip",
args, tmpdir, user, opt);
clam use unzip utility outside its process space. if
unzip itself is
vulnerable (not in case of linux) then clam may face
similar problem
-npguy
..the issue you addressed above in no way, can relate to any AV scanner DoS attack. I have repetedly addressed The proof of concept wasn't created modifying the header or crc checksum of the archive. I believe many people have confusion with my advisory released more than 9 month ago in Bugtraq. [http://www.securityfocus.com/bid/8572] and this one..... ------------------------------------- well, an attacker can create a really big file and compressed it via, dd if=/dev/zero of=/crash bs=9999 and compress the file. [well there are ways to squeze a terabyte of such data to few kilobytes] It is possible to construct an archive containing a file or files that will cause a denial of service condition when a scanner attempts to extract the contents of the archive. Usually files within archives are completely extracted before scanned, which gives rise to this vulnerability.Moreover it's not safe to set automatically 'Quarantine/delete' option set for your AV scanner as it may try to Quarantine the virus by extracting the archive. Moreover, If you download such archives from an internet location, or copy/paste such files from a destination. Those Vulnerable "Antivirus Softwares" with their auto-protect engines active, may also trigger a DoS. An attacker could construct such archive and if send to a vulnerable AV gateway, multiple of times may result in system un-stability, hi cpu use for long time, system hang, crash etc... This issue has already been updated in, http://www.geocities.com/visitbipin/Multiple_AV_DoS.html '2' days ago. I have already contact many AV vendors addressing the issue... about a week ago i haven't got any responce. regards, bipin gautam __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Antivirus/Trojan/Spyware scanners DoS [summary] bipin gautam (Jun 19)