[33052] in bugtraq
bzip2 bombs still causes problems in antivirus-software
daemon@ATHENA.MIT.EDU (Dr. Peter Bieringer)
Fri Jan 9 15:02:19 2004
Date: Fri, 09 Jan 2004 18:37:52 +0100
From: "Dr. Peter Bieringer" <pbieringer@aerasec.de>
To: "full-disclosure@lists.netsys.com" <full-disclosure@lists.netsys.com>,
"bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Message-ID: <31689056.1073673472@[10.3.62.6]>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Hi,
sure you remember the e-mail from Steve Wray in August 2003 about bzip2
bombs and the possible DoS against antivirus-software:
http://lists.netsys.com/pipermail/full-disclosure/2003-August/009255.html
We found that this is still an issue, especially we found that one vendor
detects bzip2 bombs by pattern (2 GB of zeros are detected, but not 2 GB of
e.g. 0x31).
Also others will neither detect the bomb, nor stopping decompression, looks
like they missing smart code for anomaly detection and/or proper limits and
eat all existing disk space and CPU power instead of reporting a problem.
Namely we confirm this issue still exists on:
* kavscanner of
Kaspersky AntiVirus for Linux 5.0.1.0 (probably all versions since 4.5)
* vscan of
Trend Micro InterScan VirusWall 3.8 Build 1130
* uvscan of
McAfee Virus Scan for Linux v4.16.0
Probably other versions and products are vulnerable, too.
Full advisory is available here:
http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines.txt
Hope this helps to bring this issue up again on software vendors to
implement more smarter anomaly detection code and configurable limits
(number of files, max size) in the decompression unit.
Regards,
Dr. Peter Bieringer
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Straße 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@aerasec.de
Germany Internet: http://www.aerasec.de
