| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Feb 2004 23:54:08 -0900 (AKST) From: "Myron Davis" <myrond@...x.com> To: "David Bachtel" <dave@...ltimegaming.com> Cc: "Matthias Leu" <mleu@...asec.de>, bugtraq@...urityfocus.com Subject: RE: Decompression Bombs This as far as I know is fairly well known as we had a problem with this a while back (by accident). We put a little check in like this: unzip -l $SANITIZED_ZIP_FILE|tail -n 1|cut -f4 -d' ' then checked the size .. if it was larger then oohh.. 400 megs, then drop it w/ an error for it being too large. easy way to generate a large zip file is to do something like this: dd if=/dev/zero of=testfile count=10000&&gzip testfile&&ls -la testfile should get huge file to test w/ mighty quickly, try sending that to a few virus scanners. Theoretically one could modify a worm to send random zip'd files of zeros along the way to different hosts to really kill the destinations computers. -Myron > Wow, This is a very interesting concept. Any vendor that relies on any > decompresion library could be vulnerable. Anything from something like > Photoshop to IE to virus scanners. > > The example files given on the website seem to require a password. Can > you provide it? > > Nice work and thanks! > > Dave Bachtel > IT Intern > RealTime Gaming > Atlanta, GA - USA > 404-459-4263 x139 > â¥â£â¦â > > > -----Original Message----- > From: Matthias Leu [mailto:mleu@...asec.de] > Sent: Tuesday, February 03, 2004 12:04 PM > To: bugtraq@...urityfocus.com > Subject: Decompression Bombs > > > As a followup to http://www.securityfocus.com/bid/9393/, where we > pointed out vulnerabilities of some antivirus-gateways while > decompressing bzip2-bombs, we were interested in the behaviour of > various applications that process compressed data. > > It looks as if not only bzip2 bombs, but also decompression bombs in > general might cause problems. Compression is used in many applications, > but hardly any maximum size limits are checked during the decompression > of untrusted content. > > We've created several bombs (bzip2, gzip, zip, mime-embedded bombs, png > and gif graphics, openoffice zip bombs). With these we tested some more > applications like additional antivirus engines, various web browsers, > openoffice.org, and the Gimp. > > As a result, much more applications as we thought crashed. The > manufacturers of software should care more about the processing of > untrusted input. > > For details see our full advisory, written by Dr. Peter Bieringer: > http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html > > Best regards, > Dr. Matthias Leu > -- > AERAsec Network Services and Security GmbH > Wagenberger Strasse 1 > D-85662 Hohenbrunn, Germany > http://www.aerasec.de > > >
Powered by blists - more mailing lists