Re: Antivirus/Trojan/Spyware scanners DoS [summary]

[bipin gautam <visitbipin () yahoo com>]

> you donot have complete picture and you incomplete
research is 
> just making everyone confused. 

Well, i've submitted a proof of concept. I wonder why
are yo so intrested about the 'how to...' in detail. "
Most of the ppl. out here know it anyway. I don't have
resources to test each and every AV scanners, so i
asked help to the FD community to help me out.

> i better like to take reference
> from the old advisory that gives atleast clear
background 
> http://www.rapid7.com/advisories/R7-0004/index.html
>
>
> about calm  check  "manager.c" of clam 0.15
>
>    242     if(strbcasestr(filename, ".zip")) {
>    243         char *args[] = { "unzip", "-P",
"clam", "-o", (char *) 
> filename, NULL };
>    244         if((userprg = getargl(opt, "unzip")))
>    245             ret = clamav_unpack(userprg,
args, tmpdir, user, opt);
>    246         else
>    247             ret = clamav_unpack("unzip",
args, tmpdir, user, opt);
> clam use unzip utility outside its process space. if
unzip itself is 
> vulnerable (not in case of linux) then clam may face
similar problem
> -npguy


..the issue you addressed above in no way, can relate
to any AV scanner DoS attack. I have repetedly
addressed The proof of concept wasn't created
modifying the header or crc checksum of the archive. I
believe many people have confusion with my advisory
released more than 9 month ago in Bugtraq. 
[http://www.securityfocus.com/bid/8572] and this
one.....

-------------------------------------

well, an attacker can create a really big file and
compressed it via,

dd if=/dev/zero of=/crash bs=9999

and compress the file. [well there are ways to squeze
a terabyte of such data to few kilobytes]

It is possible to construct an archive containing a
file or files that will cause a denial of service
condition when a scanner attempts to extract the
contents of the archive. Usually files within archives
are completely extracted before scanned, which gives
rise to this vulnerability.Moreover it's not safe to
set automatically 'Quarantine/delete' option set for
your AV scanner as it may try to Quarantine the virus
by extracting the archive.

Moreover, If you download such archives from an
internet location, or copy/paste such files from a
destination. Those Vulnerable "Antivirus Software’s"
with their auto-protect engines active, may also
trigger a DoS.

An attacker could construct such archive and if send
to a vulnerable AV gateway, multiple of times may
result in system un-stability, hi cpu use for long
time, system hang, crash etc...

This issue has already been updated in,
http://www.geocities.com/visitbipin/Multiple_AV_DoS.html
'2' days ago.
I have already contact many AV vendors addressing the
issue... about a week ago i haven't got any responce.

regards,
bipin gautam



        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html