Re: Anti Virus Mailscanners DOS

From: Piotr Klaban (maklerat_private)
Date: Tue Feb 26 2002 - 01:15:20 PST

Next message: Menashe Eliezer: "Re: UPDATE: [wcolburnat_private: SMTP relay through checkpoint fire wall]"

Previous message: Tamer Sahin: "SecurityOffice Security Advisory:// Essentia Web Server Vulnerabilities (Vendor Patch)"
In reply to: Eduardo R. Maciel: "Anti Virus Mailscanners DOS"
Next in thread: Lars Hecking: "Re: Anti Virus Mailscanners DOS"
Next in thread: Jedi/Sector One: "Re: Anti Virus Mailscanners DOS"
Reply: Lars Hecking: "Re: Anti Virus Mailscanners DOS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

HI,

The mail scanning DOS problem is well known. There is file called 42.zip,
that has 4MB zip packed file with 4GB of zeroes:
 -rw-r--r--   1 user    group    4168266 Mar 28  2000 page 2.zip
 % unzip -l 'page 2.zip'
   Archive:  page 2.zip
     Length    Date    Time    Name
     ------    ----    ----    ----
 4294967295  03-28-00  18:03   0.dll
     ------                    -------
 4294967295                    1 file

Quick look into the google and here it is:

* http://www.lugbe.ch/mail/archiv/lugbe/msg00327.html
  - the page with link to 42.zip

* http://www.corpit.ru/pipermail/avcheck/2001-August/000110.html
  - some thoughts of mail scanning DOS problem

* http://archives.neohapsis.com/archives/bugtraq/2001-07/0206.html
  - other problems with archivers - directory traversal and path globbing
* http://archives.neohapsis.com/archives/bugtraq/2001-07/0232.html
  - special devices in archive files

On Mon, Feb 25, 2002 at 04:29:02PM -0300, Eduardo R. Maciel wrote:
> An antivirus mailscanner should check the filesizes inside a compressed file like .tar.gz, .zip, .bz2, etc, BEFORE open the file for scanning.
I think it's very hard to check the original size of *.bz2 file.

> All the products that doesn't do that checking are vulnerable to a Denial Of Service attack.
Yes, indeed. The mail virus scanners that I have tested in the past (DrWeb and AVP)
does recognize 42.zip as a mailbomb, or something similar.

> Pay attention to the procedure below:
[...]
> root@maciel:/tmp# bzip2 -z file
> root@maciel:/tmp# ls -l /tmp/file.bz2
> rw-r--r--	1 root	root	113 Feb 24 22:14 file
                                                     ^^^^ (.bz2 is missing? ;-)
> Solution
> ========
> 	The mailscanner should check the filesizes inside a compressed file.

Even if there would be any index or any number describing the contents
and original size of compressed archive, mailscanner should not trust it
- an attacker could possibly change such a value easily.

I know one commercial mail-virus-scanner, that has a "maximum compression ratio" parameter.
If any archive has higher compression ratio that e.g. 1:5, it stops unpacking process.

> Sending several mails with these compressed files may let a machine out of memory or disk space.

It depends on the scanning method. Some virus checkers has builtin MIME/archive
unpacking code, and checks such a mailbomb in memory dividing it into pieces.
Then it would just took more minutes to scan such a mail.

I agree that "simple" unzip, bunzip2 programs that are used with mail scanners
could block your partition. It seems that it is better to check messages on the fly, in memory.

Regards,

-- 
Piotr Klaban

Next message: Menashe Eliezer: "Re: UPDATE: [wcolburnat_private: SMTP relay through checkpoint fire wall]"
Previous message: Tamer Sahin: "SecurityOffice Security Advisory:// Essentia Web Server Vulnerabilities (Vendor Patch)"
In reply to: Eduardo R. Maciel: "Anti Virus Mailscanners DOS"
Next in thread: Lars Hecking: "Re: Anti Virus Mailscanners DOS"
Next in thread: Jedi/Sector One: "Re: Anti Virus Mailscanners DOS"
Reply: Lars Hecking: "Re: Anti Virus Mailscanners DOS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 15:44:14 PST