[24478] in bugtraq
Re: Anti Virus Mailscanners DOS
daemon@ATHENA.MIT.EDU (Kragen Sitaker)
Fri Mar 1 03:10:54 2002
From: kragen@pobox.com (Kragen Sitaker)
To: bugtraq@securityfocus.com
Message-Id: <20020226215229.987FBBDC1@panacea.canonical.org>
Date: Tue, 26 Feb 2002 16:52:29 -0500 (EST)
David Skoll writes:
> In general, you cannot check the size of compressed files without
> uncompressing. For example, with a tar.gz, you have to uncompress
> the whole thing.
No you don't. Assuming GNU head:
gzip -dc foo.tar.gz | head --bytes=10m | tar xvf -
The equivalent for a zip file might be more difficult, but not much.
> ...
> So because you can get around scanners which limit the size of the
> scan, and you can DoS scanners which do not limit the size, you might
> as well not bother scanning compressed or archived files at all, except
> under manual control.
Or you can implicitly deny anything that is not explicitly allowed,
i.e. bounce the mail if it chokes your virus scanner.
--
/* By Kragen Sitaker, http://pobox.com/~kragen/puzzle2.html */
char a[99]=" KJ",d[999][16];main(){int s=socket(2,1,0),n=0,z,l,i;*(short*)a=2;
if(!bind(s,a,16))for(;;){z=16;if((l=recvfrom(s,a,99,0,d[n],&z))>0){for(i=0;i&n;
i++){z=(memcmp(d[i],d[n],8))?z:0;while(sendto(s,a,l,0,d[i],16)&0);}z?n++:0;}}}
