mailing list archives
Re: Anti Virus Mailscanners DOS
From: Piotr Klaban <makler () man torun pl>
Date: Tue, 26 Feb 2002 10:15:20 +0100
The mail scanning DOS problem is well known. There is file called 42.zip,
that has 4MB zip packed file with 4GB of zeroes:
-rw-r--r-- 1 user group 4168266 Mar 28 2000 page 2.zip
% unzip -l 'page 2.zip'
Archive: page 2.zip
Length Date Time Name
------ ---- ---- ----
4294967295 03-28-00 18:03 0.dll
4294967295 1 file
Quick look into the google and here it is:
- the page with link to 42.zip
- some thoughts of mail scanning DOS problem
- other problems with archivers - directory traversal and path globbing
- special devices in archive files
On Mon, Feb 25, 2002 at 04:29:02PM -0300, Eduardo R. Maciel wrote:
An antivirus mailscanner should check the filesizes inside a compressed file like .tar.gz, .zip, .bz2, etc, BEFORE
open the file for scanning.
I think it's very hard to check the original size of *.bz2 file.
All the products that doesn't do that checking are vulnerable to a Denial Of Service attack.
Yes, indeed. The mail virus scanners that I have tested in the past (DrWeb and AVP)
does recognize 42.zip as a mailbomb, or something similar.
Pay attention to the procedure below:
root () maciel:/tmp# bzip2 -z file
root () maciel:/tmp# ls -l /tmp/file.bz2
rw-r--r-- 1 root root 113 Feb 24 22:14 file
^^^^ (.bz2 is missing? ;-)
The mailscanner should check the filesizes inside a compressed file.
Even if there would be any index or any number describing the contents
and original size of compressed archive, mailscanner should not trust it
- an attacker could possibly change such a value easily.
I know one commercial mail-virus-scanner, that has a "maximum compression ratio" parameter.
If any archive has higher compression ratio that e.g. 1:5, it stops unpacking process.
Sending several mails with these compressed files may let a machine out of memory or disk space.
It depends on the scanning method. Some virus checkers has builtin MIME/archive
unpacking code, and checks such a mailbomb in memory dividing it into pieces.
Then it would just took more minutes to scan such a mail.
I agree that "simple" unzip, bunzip2 programs that are used with mail scanners
could block your partition. It seems that it is better to check messages on the fly, in memory.