lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: visitbipin at yahoo.com (bipin gautam)
Subject: Re: Antivirus/Trojan/Spyware scanners DoS [summary]

>you donot have complete picture and you incomplete
research is 
>just making everyone confused. 

Well, i've submitted a proof of concept. I wonder why
are yo so intrested about the 'how to...' in detail. "
Most of the ppl. out here know it anyway. I don't have
resources to test each and every AV scanners, so i
asked help to the FD community to help me out.

>i better like to take reference
>from the old advisory that gives atleast clear
background 
>
>http://www.rapid7.com/advisories/R7-0004/index.html
>
>
>about calm  check  "manager.c" of clam 0.15
>
>    242     if(strbcasestr(filename, ".zip")) {
>    243         char *args[] = { "unzip", "-P",
"clam", "-o", (char *) 
>filename, NULL };
>    244         if((userprg = getargl(opt, "unzip")))
>    245             ret = clamav_unpack(userprg,
args, tmpdir, user, opt);
>    246         else
>    247             ret = clamav_unpack("unzip",
args, tmpdir, user, opt);
>
>
>clam use unzip utility outside its process space. if
unzip itself is 
>vulnerable (not in case of linux) then clam may face
similar problem
>-npguy


..the issue you addressed above in no way, can relate
to any AV scanner DoS attack. I have repetedly
addressed The proof of concept wasn't created
modifying the header or crc checksum of the archive. I
believe many people have confusion with my advisory
released more than 9 month ago in Bugtraq. 
[http://www.securityfocus.com/bid/8572] and this
one.....

-------------------------------------

well, an attacker can create a really big file and
compressed it via,

dd if=/dev/zero of=/crash bs=9999

and compress the file. [well there are ways to squeze
a terabyte of such data to few kilobytes]

It is possible to construct an archive containing a
file or files that will cause a denial of service
condition when a scanner attempts to extract the
contents of the archive. Usually files within archives
are completely extracted before scanned, which gives
rise to this vulnerability.Moreover it's not safe to
set automatically 'Quarantine/delete' option set for
your AV scanner as it may try to Quarantine the virus
by extracting the archive.

Moreover, If you download such archives from an
internet location, or copy/paste such files from a
destination. Those Vulnerable "Antivirus Software’s"
with their auto-protect engines active, may also
trigger a DoS.

An attacker could construct such archive and if send
to a vulnerable AV gateway, multiple of times may
result in system un-stability, hi cpu use for long
time, system hang, crash etc...

This issue has already been updated in,
http://www.geocities.com/visitbipin/Multiple_AV_DoS.html
'2' days ago.
I have already contact many AV vendors addressing the
issue... about a week ago i haven't got any responce.

regards,
bipin gautam



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ