lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <401FD489.8070602@aerasec.de>
Date: Tue, 03 Feb 2004 18:04:09 +0100
From: Matthias Leu <mleu@...asec.de>
To: bugtraq@...urityfocus.com
Subject: Decompression Bombs


As a followup to http://www.securityfocus.com/bid/9393/, where we 
pointed out vulnerabilities of some antivirus-gateways while 
decompressing bzip2-bombs, we were interested in the behaviour of 
various applications that process compressed data.

It looks as if not only bzip2 bombs, but also decompression bombs in 
general might cause problems. Compression is used in many applications, 
but hardly any maximum size limits are checked during the decompression 
of untrusted content.

We've created several bombs (bzip2, gzip, zip, mime-embedded bombs, png 
and gif graphics, openoffice zip bombs). With these we tested some more 
applications like additional antivirus engines, various web browsers, 
openoffice.org, and the Gimp.

As a result, much more applications as we thought crashed. The 
manufacturers of software should care more about the processing of 
untrusted input.

For details see our full advisory, written by Dr. Peter Bieringer: 
http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html

Best regards,
Dr. Matthias Leu
-- 
AERAsec Network Services and Security GmbH
Wagenberger Strasse 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ