lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: npguy at websurfer.com.np (npguy)
Subject: Multiple Antivirus Scanners DoS attack. [summery]

well The advisory makes no details and seems to be very naive touch.

On Monday 14 June 2004 02:13 pm, bipin gautam wrote:
> Multiple Antivirus Scanners DoS attack.

>
> * F-Prot 4.4.2 for Linux

linux F-Prot  work perfectly well. Test before you make claims.

>
> * Rav Antivirus online Scanner [Couldn't complete the
> scan...]
>
> * Windows Xp default ZIP manager [report's wrong size
> of compress ZIP files.]

if you mess with headers any compression API tells you 
the same wrong size. Check zlib, infoZip, rar, arj.  

There is no way to get detect these changes. Checking each file integrity 
against the header info will take significiant anount of time. Anyway like 
WinZIP the extraction routine seek file content until the the next header 
stats.  So that the altered file size will not able to fool the routine i.e 
Design Error.  

I believe the this is also related with the same problem of WinRAR and it is 
also the same design error i believe. It trust the header info and start 
extracting the files.  

>
> --- [Details] ---
> While having a manual scan of compressed files;
> several Antivirus, Trojan, Spy ware scanners suffer a
> DoS attack if the software tries to completely extract
> the archive and scan its content for a hostile file.
>

Those using infoZip and zlib  library or even WinZIP as external extractor,  
won't suffer from this problem.  


Powered by blists - more mailing lists