This as far as I know is fairly well known as we had a problem with this a while back (by accident). We put a little check in like this: unzip -l $SANITIZED_ZIP_FILE|tail -n 1|cut -f4 -d' ' then checked the size .. if it was larger then oohh.. 400 megs, then drop it w/ an error for it being too large. easy way to generate a large zip file is to do something like this: dd if=/dev/zero of=testfile count=10000&&gzip testfile&&ls -la testfile should get huge file to test w/ mighty quickly, try sending that to a few virus scanners. Theoretically one could modify a worm to send random zip'd files of zeros along the way to different hosts to really kill the destinations computers. -Myron > Wow, This is a very interesting concept. Any vendor that relies on any > decompresion library could be vulnerable. Anything from something like > Photoshop to IE to virus scanners. > > The example files given on the website seem to require a password. Can > you provide it? > > Nice work and thanks! > > Dave Bachtel > IT Intern > RealTime Gaming > Atlanta, GA - USA > 404-459-4263 x139 > â?¥â?£â?¦â? > > > -----Original Message----- > From: Matthias Leu [mailto:mleu@aerasec.de] > Sent: Tuesday, February 03, 2004 12:04 PM > To: bugtraq@securityfocus.com > Subject: Decompression Bombs > > > As a followup to http://www.securityfocus.com/bid/9393/, where we > pointed out vulnerabilities of some antivirus-gateways while > decompressing bzip2-bombs, we were interested in the behaviour of > various applications that process compressed data. > > It looks as if not only bzip2 bombs, but also decompression bombs in > general might cause problems. Compression is used in many applications, > but hardly any maximum size limits are checked during the decompression > of untrusted content. > > We've created several bombs (bzip2, gzip, zip, mime-embedded bombs, png > and gif graphics, openoffice zip bombs). With these we tested some more > applications like additional antivirus engines, various web browsers, > openoffice.org, and the Gimp. > > As a result, much more applications as we thought crashed. The > manufacturers of software should care more about the processing of > untrusted input. > > For details see our full advisory, written by Dr. Peter Bieringer: > http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html > > Best regards, > Dr. Matthias Leu > -- > AERAsec Network Services and Security GmbH > Wagenberger Strasse 1 > D-85662 Hohenbrunn, Germany > http://www.aerasec.de > > >
