lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: pbieringer at aerasec.de (Dr. Peter Bieringer)
Subject: BZIP2 bomb question

--On Dienstag, 13. Januar 2004 07:35 +1100 Gregh <chows@...mail.com.au> 
wrote:

> Please note I am not a good programmer here but here goes:
>
> I am wondering why, for those who HAVE to auto unpack, a script cannot be
> written which, upon receipt of an archive of any sort, inspects it for, as
> an example, 100K of the same character repeated (keeping in mind that the
> NULL character, chr$(7) etc have all been used for compressed bombs) and
> if there *IS* such a file, move the file to some safe location for later
> manual inspection and if not, allow automatic unpacking etc.
>
> Surely this would be a 5 minute script for SOMEONE who knows how to do it
> well? Even if it wont work on receipt of compressed archives, it could be
> a timed even to happen, say 10 minutes before the actual auto unpacking
> is to occur if that is done at a particular time.
>
> I used to be a "dabbler" programmer on a machine back in the 80s where we
> used to have this same sort of problem and because the services provided
> could not be interrupted, the above was how I got around it.

As Ralf Hildebrandt and another guy told me, using AV scanners with 
amavisd-new framework and let amavisd-new decompress the files before 
triggering the AV scanners, this would be a solution.

existing amavisd-new options:

# Maximum recursion level for extraction/decoding (0 or undef disables 
limit)
$MAXLEVELS = 14;                # (default is undef, no limit)

# Maximum number of extracted files (0 or undef disables the limit)
$MAXFILES = 1500;               # (default is undef, no limit)

$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not 
enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not 
enforced)
$MIN_EXPANSION_FACTOR =   5;  # times original mail size  (must be 
specified)
$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (must be 
specified)


	Peter
-- 
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Stra?e 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@...asec.de
Germany                                Internet: http://www.aerasec.de


Powered by blists - more mailing lists