bzip2 bombs still causes problems in antivirus-software

To: "full-disclosure@xxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: bzip2 bombs still causes problems in antivirus-software
From: "Dr. Peter Bieringer" <pbieringer@xxxxxxxxxx>
Date: Fri, 09 Jan 2004 18:37:52 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: AERAsec Network Services and Security GmbH

Hi,

sure you remember the e-mail from Steve Wray in August 2003 about bzip2bombs and the possible DoS against antivirus-software:

http://lists.netsys.com/pipermail/full-disclosure/2003-August/009255.html

We found that this is still an issue, especially we found that one vendordetects bzip2 bombs by pattern (2 GB of zeros are detected, but not 2 GB ofe.g. 0x31).

Also others will neither detect the bomb, nor stopping decompression, lookslike they missing smart code for anomaly detection and/or proper limits andeat all existing disk space and CPU power instead of reporting a problem.



Namely we confirm this issue still exists on:

* kavscanner of
  Kaspersky AntiVirus for Linux 5.0.1.0 (probably all versions since 4.5)
* vscan of
  Trend Micro InterScan VirusWall 3.8 Build 1130
* uvscan of
  McAfee Virus Scan for Linux v4.16.0


Probably other versions and products are vulnerable, too.


Full advisory is available here:

http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines.txt

Hope this helps to bring this issue up again on software vendors toimplement more smarter anomaly detection code and configurable limits(number of files, max size) in the decompression unit.



Regards,
        Dr. Peter Bieringer
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@xxxxxxxxxx
Germany                                Internet: http://www.aerasec.de

Prev by Date: Windows FTP Server Format String Vulnerability
Next by Date: [SECURITY] [DSA 420-1] New jitterbug packages fix arbitrary command execution
Previous by thread: Windows FTP Server Format String Vulnerability
Next by thread: [SECURITY] [DSA 420-1] New jitterbug packages fix arbitrary command execution
Index(es):
- Date
- Thread