Penetration Testing mailing list archives
Re: PenTesting Email AntiVirus
From: Volker Tanger <volker.tanger () discon de>
Date: Fri, 17 May 2002 09:59:06 +0200
Greetings! Ilici Ramirez wrote:
What ways do you know to pen-test email antivirus software? A cool one that has been published before is to zip a very large file that contains the same character. The result, a very small file attached to an email could deplete resources on the antivirus server. Do you know any AV exploitable with this?
That usually "only" fills up the hard disc - which is a simple DoS attack (in contrast to penentration) and not further exploitable. A known pre-packaged is the 42.zip monster, containing only "0.dll", 4GB of zeros each: 16 libs with 16 books of 16 chapters of 16 docs with 16 pages = 16^5 files of 4GB each = 4 PetaByte
Trend InterScan VirusWall was vulnerable but now this attack only blocks one (forked-off) child process for the duration of the scan. Files within the archive are extracted one-by-one (instead of extracting all ad then scanning all the lot), a full hard disc fails graciously (and the scanning restarted). It is recommendable to have the scan partition separate from the system temp partition, though (just to be safe).
IIRC CT's Mailsweeper fails this test, merrily crashing after filling the hard disc.
I have not DoS-tested other products yet.
Bye
Volker
--
-------------------------------------------------------------------
volker.tanger () discon de discon GmbH
IT-Security Consulting Wrangelstrasse 100
http://www.discon.de/ 10997 Berlin, Germany
-------------------------------------------------------------------
PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Current thread:
- PenTesting Email AntiVirus Ilici Ramirez (May 16)
- Re: PenTesting Email AntiVirus Rainer Duffner (May 17)
- Re: PenTesting Email AntiVirus William D. Colburn (aka Schlake) (May 17)
- Re: PenTesting Email AntiVirus Volker Tanger (May 17)
- <Possible follow-ups>
- Re: PenTesting Email AntiVirus Muhammad Faisal Rauf Danka (May 17)