Bugtraq mailing list archives

Anti Virus Mailscanners DOS

From: "Eduardo R. Maciel" <maciel () inetd com br>
Date: Mon, 25 Feb 2002 16:29:02 -0300

-----------------------------------
-----[ SECURITY ANNOUNCEMENT ]-----
-----------------------------------
iNetd Security Research Annoucement

Name: Anti Virus Mailscanners DOS 
Systems Affected: System independant
Date: 25/02/2002
Subject: Potential DOS.
Severity: HIGH
Author: Eduardo R. Maciel (maciel () inetd com br)

Description
===========
An antivirus mailscanner should check the filesizes inside a compressed file like .tar.gz, .zip, .bz2, etc, BEFORE open 
the file for scanning.

All the products that doesn't do that checking are vulnerable to a Denial Of Service attack.

Pay attention to the procedure below:

root@maciel:/tmp# dd if=/dev/zero of=/tmp/file count=200000

root@maciel:/tmp# ls -l /tmp/file
-rw-r--r--      1 root  root    102400000 Feb 24 22:13 file

root@maciel:/tmp# bzip2 -z file

root@maciel:/tmp# ls -l /tmp/file.bz2
rw-r--r--       1 root  root    113 Feb 24 22:14 file

Since the file has only null (numerical zeros, not the ASCII kind) characters, the size of the compressed file was 
reduced to a almost insignificant value.
Sending several mails with these compressed files may let a machine out of memory or disk space. 

Solution
========
        The mailscanner should check the filesizes inside a compressed file.

Credits:
        Eduardo R. Maciel
        maciel () inetd com br

Current thread:

Anti Virus Mailscanners DOS Eduardo R. Maciel (Feb 26)
- Re: Anti Virus Mailscanners DOS Piotr Klaban (Feb 26)
- Re: Anti Virus Mailscanners DOS Jedi/Sector One (Feb 26)
- Re: Anti Virus Mailscanners DOS Martin Lesser (Feb 26)
- <Possible follow-ups>
- Re: Anti Virus Mailscanners DOS David F. Skoll (Feb 26)