Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Anti Virus Mailscanners DOS
From: kragen () pobox com (Kragen Sitaker)
Date: Tue, 26 Feb 2002 16:52:29 -0500 (EST)

David Skoll writes:
In general, you cannot check the size of compressed files without
uncompressing.  For example, with a tar.gz, you have to uncompress
the whole thing.

No you don't.  Assuming GNU head:

gzip -dc foo.tar.gz | head --bytes=10m | tar xvf -

The equivalent for a zip file might be more difficult, but not much.

...
So because you can get around scanners which limit the size of the
scan, and you can DoS scanners which do not limit the size, you might
as well not bother scanning compressed or archived files at all, except
under manual control.

Or you can implicitly deny anything that is not explicitly allowed,
i.e. bounce the mail if it chokes your virus scanner.

-- 
/* By Kragen Sitaker, http://pobox.com/~kragen/puzzle2.html */
char a[99]="  KJ",d[999][16];main(){int s=socket(2,1,0),n=0,z,l,i;*(short*)a=2;
if(!bind(s,a,16))for(;;){z=16;if((l=recvfrom(s,a,99,0,d[n],&z))>0){for(i=0;i&n;
i++){z=(memcmp(d[i],d[n],8))?z:0;while(sendto(s,a,l,0,d[i],16)&0);}z?n++:0;}}}


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]