|
Bugtraq
mailing list archives
Re: Decompression Bombs
From: Brian Dessent <brian () dessent net>
Date: Mon, 09 Feb 2004 08:44:53 -0800
Myron Davis wrote:
This as far as I know is fairly well known as we had a problem with this a
while back (by accident).
We put a little check in like this:
unzip -l $SANITIZED_ZIP_FILE|tail -n 1|cut -f4 -d' '
then checked the size .. if it was larger then oohh.. 400 megs, then drop
it w/ an error for it being too large.
This check will fail for all but the most naive of bombs. For example,
consider the file located at <http://www.unforgettable.dk/42.zip>. This
file contains a number of recursively nested ZIP files, to a depth of
5. Compressed it is only 41kB, yet unpacks to 4.5 PB
(4,503,599,626,321,920 bytes) in total.
$ unzip -l 42.zip
Archive: 42.zip
Length Date Time Name
-------- ---- ---- ----
34902 03-28-00 21:40 lib 3.zip
34902 03-28-00 21:40 lib 1.zip
34902 03-28-00 21:40 lib 2.zip
34902 03-28-00 21:40 lib 0.zip
34902 03-28-00 21:40 lib 4.zip
34902 03-28-00 21:40 lib 5.zip
34902 03-28-00 21:40 lib 6.zip
34902 03-28-00 21:40 lib 7.zip
34902 03-28-00 21:40 lib 8.zip
34902 03-28-00 21:40 lib 9.zip
34902 03-28-00 21:40 lib a.zip
34902 03-28-00 21:40 lib b.zip
34902 03-28-00 21:40 lib c.zip
34902 03-28-00 21:40 lib d.zip
34902 03-28-00 21:40 lib e.zip
34902 03-28-00 21:40 lib f.zip
-------- -------
558432 16 files
Your virus scanner will probably try to descend each of those archives,
and will croak if it does not recognise this as malware.
Brian
 By Date 
By Thread
Current thread:
|
Intro
