| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4027B905.9F5D4B85@dessent.net>
Date: Mon, 09 Feb 2004 08:44:53 -0800
From: Brian Dessent <brian@...sent.net>
To: bugtraq@...urityfocus.com
Subject: Re: Decompression Bombs
Myron Davis wrote:
> This as far as I know is fairly well known as we had a problem with this a
> while back (by accident).
>
> We put a little check in like this:
>
> unzip -l $SANITIZED_ZIP_FILE|tail -n 1|cut -f4 -d' '
>
> then checked the size .. if it was larger then oohh.. 400 megs, then drop
> it w/ an error for it being too large.
This check will fail for all but the most naive of bombs. For example,
consider the file located at <http://www.unforgettable.dk/42.zip>. This
file contains a number of recursively nested ZIP files, to a depth of
5. Compressed it is only 41kB, yet unpacks to 4.5 PB
(4,503,599,626,321,920 bytes) in total.
$ unzip -l 42.zip
Archive: 42.zip
Length Date Time Name
-------- ---- ---- ----
34902 03-28-00 21:40 lib 3.zip
34902 03-28-00 21:40 lib 1.zip
34902 03-28-00 21:40 lib 2.zip
34902 03-28-00 21:40 lib 0.zip
34902 03-28-00 21:40 lib 4.zip
34902 03-28-00 21:40 lib 5.zip
34902 03-28-00 21:40 lib 6.zip
34902 03-28-00 21:40 lib 7.zip
34902 03-28-00 21:40 lib 8.zip
34902 03-28-00 21:40 lib 9.zip
34902 03-28-00 21:40 lib a.zip
34902 03-28-00 21:40 lib b.zip
34902 03-28-00 21:40 lib c.zip
34902 03-28-00 21:40 lib d.zip
34902 03-28-00 21:40 lib e.zip
34902 03-28-00 21:40 lib f.zip
-------- -------
558432 16 files
Your virus scanner will probably try to descend each of those archives,
and will croak if it does not recognise this as malware.
Brian
Powered by blists - more mailing lists