Vulnerability Development mailing list archives
Antivirus scanner DoS with zip archives
From: Michel Arboi <arboi () yahoo com>
Date: Mon, 18 Jun 2001 00:11:00 +0200 (CEST)
Some time ago, MimeSweeper could be killed in a rather simple way:
Compress with zip a 1 GB file filled with zeros, and attach the 1MB (*)
result to an e-mail. MimeSweeper tried to allocate 1 GB of memory and
died.
(*) The maximum compressing ratio with the Zip algorithm is ~ 1:1000
This bug is supposed to be fixed in the last versions (I did not
check).
********
Instead of trying to eat all the memory, we could try to eat the CPU
like this:
Take some file _small_ file "A" and compress into A.zip
Copy (or rather link) 100 times A.zip to A1.zip .. A99.zip
Compress all those files into B.zip.
B.zip will be much bigger than A.zip, but can be compressed (if A is
too big, the Zip algorithm cannot find similar substrings and fails to
compress B)
Copy (or link) B.zip to B1 .. B99.zip
Archive them to C.zip (not so big)
C.zip -> C1 .. C99 => D.zip
Now, D.zip contains 1000000 files, which is probably enough to keep any
antivirus scanner busy for a loooooong time.
I tried with winver.exe as my input file, the D.zip archive is about
600 KB -- not that big.
********
A variant would be to use a viral code as the "A" file, triggering 1
million of alarms, filling the logs, the administration console, etc.
:)
********
Another idea would be to take a huge redundant file as A (let's say 2
GB of zeros), and compress it (so A.zip is 2 MB, and still redundant).
B.zip would be about 500 KB, C.zip roughly the same size, and D.zip 650
KB.
If the scanner read the whole file, it has to uncompress and swallow
about 2 Petabytes!!
Considering the memory bandwidth now, I am afraid it will be even
longer than the previous attack
********
Countermeasures?
I am not sure that those attacks work (I just tried on my personal AV
at home). However, I'd suggest to forbid archives inside archives (or
not more than 1 level?!), or limit the global number & size of the
files inside.
A simple way to reject such things could be to set a timeout on the
scanning operation. If it takes too long, the file, attachment, web
page, whatever, is just rejected.
I'd appreciate comments on this weird idea...
___________________________________________________________
Do You Yahoo!? -- Pour faire vos courses sur le Net,
Yahoo! Shopping : http://fr.shopping.yahoo.com
Current thread:
- Antivirus scanner DoS with zip archives Michel Arboi (Jun 18)
- RE: Antivirus scanner DoS with zip archives Damage (Jun 18)
- RE: Antivirus scanner DoS with zip archives Michel Arboi (Jun 19)
- Re: Antivirus scanner DoS with zip archives Ron DuFresne (Jun 18)
- Re: Antivirus scanner DoS with zip archives Markus 'FvD' Weber (Jun 19)
- Re: Antivirus scanner DoS with zip archives Michel Arboi (Jun 20)
- Re: Antivirus scanner DoS with zip archives Robert Davidson Security (Jun 21)
- Re: Antivirus scanner DoS with zip archives Aycan Irican (Jun 23)
- Re: Antivirus scanner DoS with zip archives bill_weiss (Jun 24)
- Re: Antivirus scanner DoS with zip archives Aycan Irican (Jun 24)
- Re: Antivirus scanner DoS with zip archives Markus 'FvD' Weber (Jun 19)
- RE: Antivirus scanner DoS with zip archives Damage (Jun 18)