lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001a01c3d94b$90e61c00$6500a8c0@p41700>
From: chows at ozemail.com.au (Gregh)
Subject: BZIP2 bomb question

Please note I am not a good programmer here but here goes:

I am wondering why, for those who HAVE to auto unpack, a script cannot be
written which, upon receipt of an archive of any sort, inspects it for, as
an example, 100K of the same character repeated (keeping in mind that the
NULL character, chr$(7) etc have all been used for compressed bombs) and if
there *IS* such a file, move the file to some safe location for later manual
inspection and if not, allow automatic unpacking etc.

Surely this would be a 5 minute script for SOMEONE who knows how to do it
well? Even if it wont work on receipt of compressed archives, it could be a
timed even to happen, say 10 minutes before the actual auto unpacking is to
occur if that is done at a particular time.

I used to be a "dabbler" programmer on a machine back in the 80s where we
used to have this same sort of problem and because the services provided
could not be interrupted, the above was how I got around it.

Greg.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ