[24474] in bugtraq
Re: Anti Virus Mailscanners DOS
daemon@ATHENA.MIT.EDU (Lars Hecking)
Fri Mar 1 02:12:06 2002
Date: Wed, 27 Feb 2002 10:53:05 +0000
From: Lars Hecking <lhecking@nmrc.ie>
To: bugtraq@securityfocus.com
Message-ID: <20020227105305.GD23514@nmrc.ie>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020226091520.GK931@oryl.man.torun.pl>
> I know one commercial mail-virus-scanner, that has a "maximum compression ratio" parameter.
> If any archive has higher compression ratio that e.g. 1:5, it stops unpacking process.
The current snapshot release of amavisd *1 has three different mechanisms
to escape such a mailbomb scenario:
- a configurable compression rate like the one you describe above
- a configurable limit for the total number of extracted files
- a configurable limit for the nexting level of archives (any compression
format that amavis supports)
Of course, all this is no help with the scenario originally posted, one
single, highly compressed file, and the code is commented accordingly.
> I agree that "simple" unzip, bunzip2 programs that are used with mail scanners
> could block your partition. It seems that it is better to check messages on the fly, in memory.
[Sophos sweep does it this way, neatly.]
But in general, you cannot rely on the virus scanner. Most command line
scanners don't know MIME at all.
Secondly, if you take e.g. the previously mentioned 42.zip and compress it
in a format your virus scanner does not understand, even the most cunning
.zip extraction routine won't help.
The german computer magazin iX *2 was recently *3 testing commercial
antivirus products for email environments with a permutation of
MIME/base64/uu encoded files containing different types of archives,
and many scanners just couldn't deal with it. Some don't know what
to do with base64/uu, while others lack support for common compression
formats. (Translated) Quote: "Out of 1245 infected test emails, $PRODUCT
only allowed 463 through, not a bad rate." No comment.
Unfortunatley, DoS attacks were only covered briefly, but other weaknesses
were exposed (SMTP based mail gateway acting as open relay etc.)
*1 http://www.amavis.org/contrib/
*2 http://www.heise.de/ix/
*3 iX 02/2002, not available online
