[33403] in bugtraq
Decompression Bombs
daemon@ATHENA.MIT.EDU (Matthias Leu)
Wed Feb 4 07:05:06 2004
Message-ID: <401FD489.8070602@aerasec.de>
Date: Tue, 03 Feb 2004 18:04:09 +0100
From: Matthias Leu <mleu@aerasec.de>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
As a followup to http://www.securityfocus.com/bid/9393/, where we
pointed out vulnerabilities of some antivirus-gateways while
decompressing bzip2-bombs, we were interested in the behaviour of
various applications that process compressed data.
It looks as if not only bzip2 bombs, but also decompression bombs in
general might cause problems. Compression is used in many applications,
but hardly any maximum size limits are checked during the decompression
of untrusted content.
We've created several bombs (bzip2, gzip, zip, mime-embedded bombs, png
and gif graphics, openoffice zip bombs). With these we tested some more
applications like additional antivirus engines, various web browsers,
openoffice.org, and the Gimp.
As a result, much more applications as we thought crashed. The
manufacturers of software should care more about the processing of
untrusted input.
For details see our full advisory, written by Dr. Peter Bieringer:
http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html
Best regards,
Dr. Matthias Leu
--
AERAsec Network Services and Security GmbH
Wagenberger Strasse 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de
