Bugtraq mailing list archives
Re: Decompression Bombs
From: Brian Dessent <brian () dessent net>
Date: Mon, 09 Feb 2004 08:44:53 -0800
Myron Davis wrote:
This as far as I know is fairly well known as we had a problem with this a while back (by accident). We put a little check in like this: unzip -l $SANITIZED_ZIP_FILE|tail -n 1|cut -f4 -d' ' then checked the size .. if it was larger then oohh.. 400 megs, then drop it w/ an error for it being too large.
This check will fail for all but the most naive of bombs. For example, consider the file located at <http://www.unforgettable.dk/42.zip>. This file contains a number of recursively nested ZIP files, to a depth of 5. Compressed it is only 41kB, yet unpacks to 4.5 PB (4,503,599,626,321,920 bytes) in total. $ unzip -l 42.zip Archive: 42.zip Length Date Time Name -------- ---- ---- ---- 34902 03-28-00 21:40 lib 3.zip 34902 03-28-00 21:40 lib 1.zip 34902 03-28-00 21:40 lib 2.zip 34902 03-28-00 21:40 lib 0.zip 34902 03-28-00 21:40 lib 4.zip 34902 03-28-00 21:40 lib 5.zip 34902 03-28-00 21:40 lib 6.zip 34902 03-28-00 21:40 lib 7.zip 34902 03-28-00 21:40 lib 8.zip 34902 03-28-00 21:40 lib 9.zip 34902 03-28-00 21:40 lib a.zip 34902 03-28-00 21:40 lib b.zip 34902 03-28-00 21:40 lib c.zip 34902 03-28-00 21:40 lib d.zip 34902 03-28-00 21:40 lib e.zip 34902 03-28-00 21:40 lib f.zip -------- ------- 558432 16 files Your virus scanner will probably try to descend each of those archives, and will croak if it does not recognise this as malware. Brian
Current thread:
- Decompression Bombs Matthias Leu (Feb 03)
- <Possible follow-ups>
- RE: Decompression Bombs David Bachtel (Feb 06)
- RE: Decompression Bombs Myron Davis (Feb 09)
- Re: Decompression Bombs Brian Dessent (Feb 09)
- Re: Decompression Bombs Myron Davis (Feb 11)
- Re: Decompression Bombs Chris Green (Feb 09)
- RE: Decompression Bombs Myron Davis (Feb 09)
- RE: Decompression Bombs SBNelson (Feb 09)
- Re: Decompression Bombs Bipin Gautam . (Feb 11)