dumb idea(s) (tm)

[Doru Petrescu <pdoru () kappa ro>]

in regards to "Re: Antivirus scanner DoS with zip archives" by "Aycan
Irican <aycan () mars prosoft com tr>"

let's analize this idea some guy had ... he wanted to create a long file
without using disk space to store it ...

$> perl -e 'print "A"x1000000000' | gzip -f | dd of=file1
        Out of memory!
        0+1 records in
        0+1 records out


first, consider removing 'dd' ... try like this:

$> .... |gzip >outputfile.gz

this mecanism is called OUTPUT REDIRECTION. it works even on windows. :-)

then, let's analize what is with that strange 'Out of memory!' ....
as many of you might already guessed, PERL is the one that complains ...
and, why not ... it was asked to create a string 1GB long. it first has to
alocate memory for it, so when perl tries something like
malloc(1000000000) it will fail...

in perl a construct like "a" x N_TIMES is a static string, it is not an
iterator, a 'for' or something like this. it will not 'execute' N times to
produce the result. the internal compiler will create the string by
duplicating N times the smaller string. it still uses memory. it just
saves you (the programmer) from writing a 1GB+ program for printing a 1GB
long string containg 1000000000 'a' ...

the right way is to use a loop, like this:

foreach (1..1000000000) { print "a"; }

so, we can try something like:

$> perl -e 'foreach (1..1000000000) { print "a"; }' | gzip >outfile.gziped

you can even add more ZEROs ...


but, there is a small problem ... this is going to take a long time,
because print is a quite expensive function, and anyway it has to run it
1000000000 times ...

so we can do:

foreach (1..1000) { print "a"x1000000; }

this will allocate a 1MB long string (but that's ok, we are no longer
running on Z80 processors) and print it 1000 times. it works _A_ LOT
FASTER

$> perl -e 'foreach (1..1000) { print "a"x1000000; }' | gzip >outfile.gziped




-------------------------------------------------------------------
so,

what is the POINT of this email ?


1. when you write a program, try NOT TO eat all your memory.
(the point of any exploit is to exploit OTHERS :-)

2. when you try to break something try to think a little more on the
subject, let's do a better job that the one that wrote the original
program. we don't want an exploit that works even worse than the program.

3. everybody, before releasing a theory FIRST see if you're right.
test your idea first, then test your code. read some papers about that
subject.


4. there is no such thing as "So I must find the maximum byte size that I
can pipe to gzip."
   you can pipe as long as you want, as long as you do PIPE something. in
your case the source program (perl) crashed with 'out of memory' BEFORE it
was able to send something to gzip.
   for all you new guys, PIPE doesn't have a size limit, you can write as
long as someone keeps reading from the other end.



When I see something called EXPLOIT, I expect it to exploit the VICTIM,
not the attacker.
and, when you report a vulnerability, make sure is the target program
vulnerable not your own code, and make sure your exploit is not yet
another vulnerable program. there is nothing worse than exploatable
exploit ... hahahaha




Best regards,
Doru Petrescu