Re: Antivirus scanner DoS with zip archives

["Nexus" <nexus () patrol i-way co uk>]

Hi folks,

Not just the Antivirus engine can be targeted here.
I used to install/configure/admin & support certain email filtering products
that would do the whole virus scan thang as well as the normal content and
attachment filtering.   One of these could be killed by a simple .pdf file
purely because the scanning engine would time out and kill the service.
You could probably get the same effect with malformed file as well as the
constructed ones mentioned by Michel.   I agree that the best way to deal
with it is to quarantine the file and flag the admin if the content analysis
engine times out, rather than let it run and starve the box.   Most of these
mail servers will allow a maximum attachment size as well, so _really_ silly
files can be blocked.
To extrapolate further, I have used similar techniques to bypass content
filtering, working on the principle that the scanning/decoding engine will
do _just_ that, allowing you to play with file types and archives such that
you can get what you want past the mail server.
Let's say I wanted to get a .jpg file of those Lego pr0n pictures into
somewhere (nasty piece of work that I am ;-) - now .jpg files are blocked;
the engine will pick up these embedded in word docs or powerpoint
presentations as these are known filetypes.   What if I base64 piccy.jpg as
piccy.txt and zip that ?
Unzip it, yup, that's a text file - all clear ;-)   Add noddy stuff like
ROT13 and the like in case a base64 decoder suddenly appears....
Just a few random rumblings...

Cheers.

----- Original Message -----
From: "Michel Arboi" <arboi () yahoo com>
To: <VULN-DEV () securityfocus com>
Sent: Sunday, June 17, 2001 11:11 PM
Subject: Antivirus scanner DoS with zip archives
[snip]


> I'd appreciate comments on this weird idea...
[snip]