[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200406141536.09709.npguy@websurfer.com.np>
From: npguy at websurfer.com.np (npguy)
Subject: Multiple Antivirus Scanners DoS attack. [summery]
well The advisory makes no details and seems to be very naive touch.
On Monday 14 June 2004 02:13 pm, bipin gautam wrote:
> Multiple Antivirus Scanners DoS attack.
>
> * F-Prot 4.4.2 for Linux
linux F-Prot work perfectly well. Test before you make claims.
>
> * Rav Antivirus online Scanner [Couldn't complete the
> scan...]
>
> * Windows Xp default ZIP manager [report's wrong size
> of compress ZIP files.]
if you mess with headers any compression API tells you
the same wrong size. Check zlib, infoZip, rar, arj.
There is no way to get detect these changes. Checking each file integrity
against the header info will take significiant anount of time. Anyway like
WinZIP the extraction routine seek file content until the the next header
stats. So that the altered file size will not able to fool the routine i.e
Design Error.
I believe the this is also related with the same problem of WinRAR and it is
also the same design error i believe. It trust the header info and start
extracting the files.
>
> --- [Details] ---
> While having a manual scan of compressed files;
> several Antivirus, Trojan, Spy ware scanners suffer a
> DoS attack if the software tries to completely extract
> the archive and scan its content for a hostile file.
>
Those using infoZip and zlib library or even WinZIP as external extractor,
won't suffer from this problem.
Powered by blists - more mailing lists