lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5.1.0.14.2.20040615122424.017e9410@webmail.compranet.gob.mx>
Date: Tue, 15 Jun 2004 12:48:07 -0500
From: Yosif Sleman <sleman@...pranet.gob.mx>
To: bugtraq@...urityfocus.com
Subject: Re: Multiple Antivirus Scanners DoS attack.



Solaris 8 box with Virus Scan for Solaris 4.32.0, engine 4.3.20 and data 
file 4366 takes a lot of CPU and time to process the file, but the process 
never crashed neither hanged, the CPU was around 96% of usage, and the 
memory kept between 26 and 33MB (i have two webservers an a database 
running on the test box and none was affected even with the uvscan taking 
all the CPU).

At first, the scan stalled at the same point than Linux but after 3 mins 
the scan continued without problems, i had to stop the scan 48 mins later 
only with a 50% of the backdoor file processed because it was taking so 
long to finish. (the cab files are the slowest to parse).

Regards,
Sleman

At 02:48 PM 14/06/2004 -0300, "Ethy H. Brito" <ethy@...xo.com.br> wrote:
>On Mon, 14 Jun 2004 14:38:50 +0000
>"bipin gautam" <visitbipin@...mail.com> wrote:
>
> > Multiple Antivirus Scanners DoS attack.
> >
> > --- [Vulnerable Products] ---
> >       Only tested on...
> >
> > * Norton Antivirus 2002
> > * Norton Antivirus 2003
> > * Mcafee VirusScan 6
> > * Network Associates (McAfee) VirusScan Enterprise 7.1
> > * Windows Xp default ZIP manager [report's wrong size of compress ZIP
> > files.]
>
>Linux uvscan scan engine 4.3.20 (MacAfee) is also vulnerable.
>uvscan takes all CPU and lots of memory been only killed with signal 9 
>from another terminal.
>
>from 'top':
>  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
>1306 nobody    15   0 22744  21M  1648 R    97.4 35.6   0:44   0 uvscan
>
>nobody@...alu:/usr/local/uvscan# ./uvscan -v -r --analyze --unzip 
>BlackHole.zip
>Scanning BlackHole.zip
>Scanning file BlackHole.zip
>Scanning file BlackHole.zip/~.BZ2
>   ..... stalls here .....
>
>--
>
>Ethy H. Brito         /"\
>InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
>+55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
>S.J.Campos - Brasil   / \



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ