Greetings! Ilici Ramirez wrote: > > What ways do you know to pen-test email antivirus > software? > > A cool one that has been published before is to zip a > very large file that contains the same character. The > result, a very small file attached to an email could > deplete resources on the antivirus server. Do you know > any AV exploitable with this? That usually "only" fills up the hard disc - which is a simple DoS attack (in contrast to penentration) and not further exploitable. A known pre-packaged is the 42.zip monster, containing only "0.dll", 4GB of zeros each: 16 libs with 16 books of 16 chapters of 16 docs with 16 pages = 16^5 files of 4GB each = 4 PetaByte Trend InterScan VirusWall was vulnerable but now this attack only blocks one (forked-off) child process for the duration of the scan. Files within the archive are extracted one-by-one (instead of extracting all ad then scanning all the lot), a full hard disc fails graciously (and the scanning restarted). It is recommendable to have the scan partition separate from the system temp partition, though (just to be safe). IIRC CT's Mailsweeper fails this test, merrily crashing after filling the hard disc. I have not DoS-tested other products yet. Bye Volker -- ------------------------------------------------------------------- volker.tangerat_private discon GmbH IT-Security Consulting Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany ------------------------------------------------------------------- PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri May 17 2002 - 14:28:30 PDT