Bugtraq mailing list archives

Re: Anti Virus Mailscanners DOS

From: Piotr Klaban <makler () man torun pl>
Date: Tue, 26 Feb 2002 10:15:20 +0100

HI,

The mail scanning DOS problem is well known. There is file called 42.zip,
that has 4MB zip packed file with 4GB of zeroes:
 -rw-r--r--   1 user    group    4168266 Mar 28  2000 page 2.zip
 % unzip -l 'page 2.zip'
   Archive:  page 2.zip
     Length    Date    Time    Name
     ------    ----    ----    ----
 4294967295  03-28-00  18:03   0.dll
     ------                    -------
 4294967295                    1 file

Quick look into the google and here it is:

* http://www.lugbe.ch/mail/archiv/lugbe/msg00327.html
  - the page with link to 42.zip

* http://www.corpit.ru/pipermail/avcheck/2001-August/000110.html
  - some thoughts of mail scanning DOS problem

* http://archives.neohapsis.com/archives/bugtraq/2001-07/0206.html
  - other problems with archivers - directory traversal and path globbing
* http://archives.neohapsis.com/archives/bugtraq/2001-07/0232.html
  - special devices in archive files

On Mon, Feb 25, 2002 at 04:29:02PM -0300, Eduardo R. Maciel wrote:

An antivirus mailscanner should check the filesizes inside a compressed file like .tar.gz, .zip, .bz2, etc, BEFORE 
open the file for scanning.

I think it's very hard to check the original size of *.bz2 file.

All the products that doesn't do that checking are vulnerable to a Denial Of Service attack.

Yes, indeed. The mail virus scanners that I have tested in the past (DrWeb and AVP)
does recognize 42.zip as a mailbomb, or something similar.

Pay attention to the procedure below:

[...]

root@maciel:/tmp# bzip2 -z file
root@maciel:/tmp# ls -l /tmp/file.bz2
rw-r--r--     1 root  root    113 Feb 24 22:14 file

                                                     ^^^^ (.bz2 is missing? ;-)

Solution
========
      The mailscanner should check the filesizes inside a compressed file.


Even if there would be any index or any number describing the contents
and original size of compressed archive, mailscanner should not trust it
- an attacker could possibly change such a value easily.

I know one commercial mail-virus-scanner, that has a "maximum compression ratio" parameter.
If any archive has higher compression ratio that e.g. 1:5, it stops unpacking process.

Sending several mails with these compressed files may let a machine out of memory or disk space.


It depends on the scanning method. Some virus checkers has builtin MIME/archive
unpacking code, and checks such a mailbomb in memory dividing it into pieces.
Then it would just took more minutes to scan such a mail.

I agree that "simple" unzip, bunzip2 programs that are used with mail scanners
could block your partition. It seems that it is better to check messages on the fly, in memory.

Regards,

-- 
Piotr Klaban

Current thread:

Anti Virus Mailscanners DOS Eduardo R. Maciel (Feb 26)
- Re: Anti Virus Mailscanners DOS Piotr Klaban (Feb 26)
- Re: Anti Virus Mailscanners DOS Jedi/Sector One (Feb 26)
- Re: Anti Virus Mailscanners DOS Martin Lesser (Feb 26)
- <Possible follow-ups>
- Re: Anti Virus Mailscanners DOS David F. Skoll (Feb 26)