lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 07 Feb 2004 19:56:20 +0100
From: Andreas Marx <amarx@...a-it.de>
To: Bipin Gautam. <door_hunt3r@...ckcodemail.com>,
	bugtraq@...urityfocus.com
Subject: Re: Decompression Bombs [...missed something]


Hi!

>isn't the concept same as the one I produced 3 months ago in...
>http://www.securityfocus.com/bid/8572/info/
>indeed the replica... of my old concept!

No, that's not the case. The history with decompression bombs is much, much 
older. For example, Rob Rosenberger (www.vmyths.com) has created such 
testsets already in 1998 and 1999 (eistpfh.zip). He presented his results 
at conferences (e.g. in 2000) a few times already. He has created several 
test cases and many av programs still have problems with his testset.

His testset includes files like this:
"40,000 small DOTs masquerading as DOCs, infected with CAP virus, 
compressed to 132MB by WinZip.zip"
or "A thousand ZIPs, each with a 1GB EXE which creates a 1GB TXT, 
compressed to 15MB.zip"
or "A thousand ZIPs, each with a thousand ZIPs, each with a 1GB TXT, 
compressed to 21MB.zip"
or "Multiple (2) 1GB EXE files, each which create a 1GB TXT, compressed to 
2MB.zip"
or "A 64MB RTF compressed to 2k (two extra final levels of compression).zip"
and so on.

We (www.av-test.org) have included decompression bombs in our testset as 
well -- for example, our Exchange 2000 (SP1) test of anti-virus software, 
dated 2001-09, included such files. For this, we have tested heavily nested 
zip files (mail bombs, such like the "famous" 42.zip), we have created ARJ 
and ZIP archives with devices names like AUX or LPT1, plus we have created 
archives with paths like "../name.exe". More than 1/2 of all tested av 
products were vulnerable to these attacks at this time -- and it was only a 
small-scale test of such aspects.

cheers,
Andreas Marx

-- 
BSc. Andreas Marx <amarx@...a-it.de>, http://www.av-test.org
AV-Test GmbH, Klewitzstr. 7, 39112 Magdeburg, Germany
Phone: +49 (0)391 6075466, Fax: +49 (0)391 6075469

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ