[24423] in bugtraq
Re: Anti Virus Mailscanners DOS
daemon@ATHENA.MIT.EDU (Piotr Klaban)
Tue Feb 26 18:45:20 2002
Date: Tue, 26 Feb 2002 10:15:20 +0100
From: Piotr Klaban <makler@man.torun.pl>
To: bugtraq@securityfocus.com
Message-ID: <20020226091520.GK931@oryl.man.torun.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020225162902.2279bf0d.maciel@inetd.com.br>
HI,
The mail scanning DOS problem is well known. There is file called 42.zip,
that has 4MB zip packed file with 4GB of zeroes:
-rw-r--r-- 1 user group 4168266 Mar 28 2000 page 2.zip
% unzip -l 'page 2.zip'
Archive: page 2.zip
Length Date Time Name
------ ---- ---- ----
4294967295 03-28-00 18:03 0.dll
------ -------
4294967295 1 file
Quick look into the google and here it is:
* http://www.lugbe.ch/mail/archiv/lugbe/msg00327.html
- the page with link to 42.zip
* http://www.corpit.ru/pipermail/avcheck/2001-August/000110.html
- some thoughts of mail scanning DOS problem
* http://archives.neohapsis.com/archives/bugtraq/2001-07/0206.html
- other problems with archivers - directory traversal and path globbing
* http://archives.neohapsis.com/archives/bugtraq/2001-07/0232.html
- special devices in archive files
On Mon, Feb 25, 2002 at 04:29:02PM -0300, Eduardo R. Maciel wrote:
> An antivirus mailscanner should check the filesizes inside a compressed file like .tar.gz, .zip, .bz2, etc, BEFORE open the file for scanning.
I think it's very hard to check the original size of *.bz2 file.
> All the products that doesn't do that checking are vulnerable to a Denial Of Service attack.
Yes, indeed. The mail virus scanners that I have tested in the past (DrWeb and AVP)
does recognize 42.zip as a mailbomb, or something similar.
> Pay attention to the procedure below:
[...]
> root@maciel:/tmp# bzip2 -z file
> root@maciel:/tmp# ls -l /tmp/file.bz2
> rw-r--r-- 1 root root 113 Feb 24 22:14 file
^^^^ (.bz2 is missing? ;-)
> Solution
> ========
> The mailscanner should check the filesizes inside a compressed file.
Even if there would be any index or any number describing the contents
and original size of compressed archive, mailscanner should not trust it
- an attacker could possibly change such a value easily.
I know one commercial mail-virus-scanner, that has a "maximum compression ratio" parameter.
If any archive has higher compression ratio that e.g. 1:5, it stops unpacking process.
> Sending several mails with these compressed files may let a machine out of memory or disk space.
It depends on the scanning method. Some virus checkers has builtin MIME/archive
unpacking code, and checks such a mailbomb in memory dividing it into pieces.
Then it would just took more minutes to scan such a mail.
I agree that "simple" unzip, bunzip2 programs that are used with mail scanners
could block your partition. It seems that it is better to check messages on the fly, in memory.
Regards,
--
Piotr Klaban
