lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3867.209.193.18.88.1076144048.squirrel@mail.xyxx.com>
Date: Fri, 6 Feb 2004 23:54:08 -0900 (AKST)
From: "Myron Davis" <myrond@...x.com>
To: "David Bachtel" <dave@...ltimegaming.com>
Cc: "Matthias Leu" <mleu@...asec.de>, bugtraq@...urityfocus.com
Subject: RE: Decompression Bombs


This as far as I know is fairly well known as we had a problem with this a
while back (by accident).

We put a little check in like this:

unzip -l $SANITIZED_ZIP_FILE|tail -n 1|cut -f4 -d' '

then checked the size .. if it was larger then oohh.. 400 megs, then drop
it  w/ an error for it being too large.

easy way to generate a large zip file is to do something like this:

dd if=/dev/zero of=testfile count=10000&&gzip testfile&&ls -la testfile

should get huge file to test w/ mighty quickly, try sending that to a few
virus scanners.

Theoretically one could modify a worm to send random zip'd files of zeros
along the way to different hosts to really kill the destinations
computers.

-Myron


> Wow, This is a very  interesting concept.  Any vendor that relies on any
> decompresion library could be vulnerable.  Anything from something like
> Photoshop to IE to virus scanners.
>
> The example files given on the website seem to require a password.  Can
> you provide it?
>
> Nice work and thanks!
>
> Dave Bachtel
> IT Intern
> RealTime Gaming
> Atlanta, GA - USA
> 404-459-4263 x139
> ♥♣♦â™
>
>
> -----Original Message-----
> From: Matthias Leu [mailto:mleu@...asec.de]
> Sent: Tuesday, February 03, 2004 12:04 PM
> To: bugtraq@...urityfocus.com
> Subject: Decompression Bombs
>
>
> As a followup to http://www.securityfocus.com/bid/9393/, where we
> pointed out vulnerabilities of some antivirus-gateways while
> decompressing bzip2-bombs, we were interested in the behaviour of
> various applications that process compressed data.
>
> It looks as if not only bzip2 bombs, but also decompression bombs in
> general might cause problems. Compression is used in many applications,
> but hardly any maximum size limits are checked during the decompression
> of untrusted content.
>
> We've created several bombs (bzip2, gzip, zip, mime-embedded bombs, png
> and gif graphics, openoffice zip bombs). With these we tested some more
> applications like additional antivirus engines, various web browsers,
> openoffice.org, and the Gimp.
>
> As a result, much more applications as we thought crashed. The
> manufacturers of software should care more about the processing of
> untrusted input.
>
> For details see our full advisory, written by Dr. Peter Bieringer:
> http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html
>
> Best regards,
> Dr. Matthias Leu
> --
> AERAsec Network Services and Security GmbH
> Wagenberger Strasse 1
> D-85662 Hohenbrunn, Germany
> http://www.aerasec.de
>
>
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ