Decompression Bombs

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Decompression Bombs
From: Matthias Leu <mleu@xxxxxxxxxx>
Date: Tue, 03 Feb 2004 18:04:09 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: AERAsec Network Services and Security GmbH
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.5) Gecko/20031007

As a followup to http://www.securityfocus.com/bid/9393/, where wepointed out vulnerabilities of some antivirus-gateways whiledecompressing bzip2-bombs, we were interested in the behaviour ofvarious applications that process compressed data.

It looks as if not only bzip2 bombs, but also decompression bombs ingeneral might cause problems. Compression is used in many applications,but hardly any maximum size limits are checked during the decompressionof untrusted content.

We've created several bombs (bzip2, gzip, zip, mime-embedded bombs, pngand gif graphics, openoffice zip bombs). With these we tested some moreapplications like additional antivirus engines, various web browsers,openoffice.org, and the Gimp.

As a result, much more applications as we thought crashed. Themanufacturers of software should care more about the processing ofuntrusted input.

For details see our full advisory, written by Dr. Peter Bieringer:http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html


Best regards,
Dr. Matthias Leu
--
AERAsec Network Services and Security GmbH
Wagenberger Strasse 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de

Prev by Date: Re: RFC: virus handling
Next by Date: Re: RFC: virus handling
Previous by thread: Sandblad #12: Inject javascript url in history list (revisited)
Next by thread: RE: Decompression Bombs
Index(es):
- Date
- Thread