<<< Date Index >>>     <<< Thread Index >>>

RE: Decompression Bombs



This as far as I know is fairly well known as we had a problem with this a
while back (by accident).

We put a little check in like this:

unzip -l $SANITIZED_ZIP_FILE|tail -n 1|cut -f4 -d' '

then checked the size .. if it was larger then oohh.. 400 megs, then drop
it  w/ an error for it being too large.

easy way to generate a large zip file is to do something like this:

dd if=/dev/zero of=testfile count=10000&&gzip testfile&&ls -la testfile

should get huge file to test w/ mighty quickly, try sending that to a few
virus scanners.

Theoretically one could modify a worm to send random zip'd files of zeros
along the way to different hosts to really kill the destinations
computers.

-Myron


> Wow, This is a very  interesting concept.  Any vendor that relies on any
> decompresion library could be vulnerable.  Anything from something like
> Photoshop to IE to virus scanners.
>
> The example files given on the website seem to require a password.  Can
> you provide it?
>
> Nice work and thanks!
>
> Dave Bachtel
> IT Intern
> RealTime Gaming
> Atlanta, GA - USA
> 404-459-4263 x139
> â?¥â?£â?¦â?
>
>
> -----Original Message-----
> From: Matthias Leu [mailto:mleu@xxxxxxxxxx]
> Sent: Tuesday, February 03, 2004 12:04 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Decompression Bombs
>
>
> As a followup to http://www.securityfocus.com/bid/9393/, where we
> pointed out vulnerabilities of some antivirus-gateways while
> decompressing bzip2-bombs, we were interested in the behaviour of
> various applications that process compressed data.
>
> It looks as if not only bzip2 bombs, but also decompression bombs in
> general might cause problems. Compression is used in many applications,
> but hardly any maximum size limits are checked during the decompression
> of untrusted content.
>
> We've created several bombs (bzip2, gzip, zip, mime-embedded bombs, png
> and gif graphics, openoffice zip bombs). With these we tested some more
> applications like additional antivirus engines, various web browsers,
> openoffice.org, and the Gimp.
>
> As a result, much more applications as we thought crashed. The
> manufacturers of software should care more about the processing of
> untrusted input.
>
> For details see our full advisory, written by Dr. Peter Bieringer:
> http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html
>
> Best regards,
> Dr. Matthias Leu
> --
> AERAsec Network Services and Security GmbH
> Wagenberger Strasse 1
> D-85662 Hohenbrunn, Germany
> http://www.aerasec.de
>
>
>