Bugtraq mailing list archives
Re: Anti Virus Mailscanners DOS
From: Piotr Klaban <makler () man torun pl>
Date: Tue, 26 Feb 2002 10:15:20 +0100
HI, The mail scanning DOS problem is well known. There is file called 42.zip, that has 4MB zip packed file with 4GB of zeroes: -rw-r--r-- 1 user group 4168266 Mar 28 2000 page 2.zip % unzip -l 'page 2.zip' Archive: page 2.zip Length Date Time Name ------ ---- ---- ---- 4294967295 03-28-00 18:03 0.dll ------ ------- 4294967295 1 file Quick look into the google and here it is: * http://www.lugbe.ch/mail/archiv/lugbe/msg00327.html - the page with link to 42.zip * http://www.corpit.ru/pipermail/avcheck/2001-August/000110.html - some thoughts of mail scanning DOS problem * http://archives.neohapsis.com/archives/bugtraq/2001-07/0206.html - other problems with archivers - directory traversal and path globbing * http://archives.neohapsis.com/archives/bugtraq/2001-07/0232.html - special devices in archive files On Mon, Feb 25, 2002 at 04:29:02PM -0300, Eduardo R. Maciel wrote:
An antivirus mailscanner should check the filesizes inside a compressed file like .tar.gz, .zip, .bz2, etc, BEFORE open the file for scanning.
I think it's very hard to check the original size of *.bz2 file.
All the products that doesn't do that checking are vulnerable to a Denial Of Service attack.
Yes, indeed. The mail virus scanners that I have tested in the past (DrWeb and AVP) does recognize 42.zip as a mailbomb, or something similar.
Pay attention to the procedure below:
[...]
root@maciel:/tmp# bzip2 -z file root@maciel:/tmp# ls -l /tmp/file.bz2 rw-r--r-- 1 root root 113 Feb 24 22:14 file
^^^^ (.bz2 is missing? ;-)
Solution ======== The mailscanner should check the filesizes inside a compressed file.
Even if there would be any index or any number describing the contents and original size of compressed archive, mailscanner should not trust it - an attacker could possibly change such a value easily. I know one commercial mail-virus-scanner, that has a "maximum compression ratio" parameter. If any archive has higher compression ratio that e.g. 1:5, it stops unpacking process.
Sending several mails with these compressed files may let a machine out of memory or disk space.
It depends on the scanning method. Some virus checkers has builtin MIME/archive unpacking code, and checks such a mailbomb in memory dividing it into pieces. Then it would just took more minutes to scan such a mail. I agree that "simple" unzip, bunzip2 programs that are used with mail scanners could block your partition. It seems that it is better to check messages on the fly, in memory. Regards, -- Piotr Klaban
Current thread:
- Anti Virus Mailscanners DOS Eduardo R. Maciel (Feb 26)
- Re: Anti Virus Mailscanners DOS Piotr Klaban (Feb 26)
- Re: Anti Virus Mailscanners DOS Jedi/Sector One (Feb 26)
- Re: Anti Virus Mailscanners DOS Martin Lesser (Feb 26)
- <Possible follow-ups>
- Re: Anti Virus Mailscanners DOS David F. Skoll (Feb 26)