lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <000001c3d71b$0b5e3cc0$0201a8c0@fosi>
From: steve.wray at paradise.net.nz (Steve Wray)
Subject: bzip2 bombs still causes problems in
 antivirus-software

It would probably be a good idea to implement ulimit
restrictions on the user that the software runs as.

I had awful problems with the syntax on that sentence,
but I am sure you will know what it means.
:)

Also you should be aware that the software doesn't automatically
clear the leftovers out of the filesystem.

One suggestion I've heard is to put the directory where the
zip files get unpacked for software forensics & antivirus detection
be on tmpfs or some such. That way, after a reboot its guaranteed
to not be there. Or something like that. (my favorite sentence)

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Dr. Peter Bieringer
> Sent: Saturday, 10 January 2004 6:38
> To: full-disclosure@...ts.netsys.com; bugtraq@...urityfocus.com
> Subject: [Full-Disclosure] bzip2 bombs still causes problems 
> in antivirus-software
> 
> 
> Hi,
> 
> sure you remember the e-mail from Steve Wray in August 2003 
> about bzip2 
> bombs and the possible DoS against antivirus-software:
> http://lists.netsys.com/pipermail/full-disclosure/2003-August/
> 009255.html
> 
> We found that this is still an issue, especially we found 
> that one vendor 
> detects bzip2 bombs by pattern (2 GB of zeros are detected, 
> but not 2 GB of 
> e.g. 0x31).
> 
> Also others will neither detect the bomb, nor stopping 
> decompression, looks 
> like they missing smart code for anomaly detection and/or 
> proper limits and 
> eat all existing disk space and CPU power instead of 
> reporting a problem.
> 
> 
> Namely we confirm this issue still exists on:
> 
> * kavscanner of
>    Kaspersky AntiVirus for Linux 5.0.1.0 (probably all 
> versions since 4.5)
> * vscan of
>    Trend Micro InterScan VirusWall 3.8 Build 1130
> * uvscan of
>    McAfee Virus Scan for Linux v4.16.0
> 
> 
> Probably other versions and products are vulnerable, too.
> 
> 
> Full advisory is available here:
> 
http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines
.txt


Hope this helps to bring this issue up again on software vendors to 
implement more smarter anomaly detection code and configurable limits 
(number of files, max size) in the decompression unit.


Regards,
	Dr. Peter Bieringer
-- 
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Stra?e 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@...asec.de
Germany                                Internet: http://www.aerasec.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ