Antivirus scanner DoS with zip archives

From: Michel Arboi (arboiat_private)
Date: Sun Jun 17 2001 - 15:11:00 PDT

Next message: Sebastian: "Re: exploit coding"

Previous message: roland kwitt: "exploit coding"
Next in thread: Damage: "RE: Antivirus scanner DoS with zip archives"
Reply: Damage: "RE: Antivirus scanner DoS with zip archives"
Reply: Ron DuFresne: "Re: Antivirus scanner DoS with zip archives"
Reply: Nexus: "Re: Antivirus scanner DoS with zip archives"
Reply: teoat_private: "Re: Antivirus scanner DoS with zip archives"
Reply: Michel Arboi: "Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Some time ago, MimeSweeper could be killed in a rather simple way:
Compress with zip a 1 GB file filled with zeros, and attach the 1MB (*)
result to an e-mail. MimeSweeper tried to allocate 1 GB of memory and
died.
(*) The maximum compressing ratio with the Zip algorithm is ~ 1:1000

This bug is supposed to be fixed in the last versions (I did not
check).

    ********

Instead of trying to eat all the memory, we could try to eat the CPU
like this:

Take some file _small_ file "A" and compress into A.zip
Copy (or rather link) 100 times A.zip to A1.zip .. A99.zip
Compress all those files into B.zip. 
B.zip will be much bigger than A.zip, but can be compressed (if A is
too big, the Zip algorithm cannot find similar substrings and fails to
compress B)
Copy (or link) B.zip to B1 .. B99.zip
Archive them to C.zip (not so big)
C.zip -> C1 .. C99 => D.zip

Now, D.zip contains 1000000 files, which is probably enough to keep any
antivirus scanner busy for a loooooong time.
I tried with winver.exe as my input file, the D.zip archive is about
600 KB -- not that big.

    ********

A variant would be to use a viral code as the "A" file, triggering 1
million of alarms, filling the logs, the administration console, etc.
:)

    ********

Another idea would be to take a huge redundant file as  A (let's say 2
GB of zeros), and compress it (so A.zip is 2 MB, and still redundant).
B.zip would be about 500 KB, C.zip roughly the same size, and D.zip 650
KB.
If the scanner read the whole file, it has to uncompress and swallow
about 2 Petabytes!!
Considering the memory bandwidth now, I am afraid it will be even
longer than the previous attack

    ********

Countermeasures?
I am not sure that those attacks work (I just tried on my personal AV
at home). However, I'd suggest to forbid archives inside archives (or
not more than 1 level?!), or limit the global number & size of the
files inside.
A simple way to reject such things could be to set a timeout on the
scanning operation. If it takes too long, the file, attachment, web
page, whatever, is just rejected.

I'd appreciate comments on this weird idea...



___________________________________________________________
Do You Yahoo!? -- Pour faire vos courses sur le Net, 
Yahoo! Shopping : http://fr.shopping.yahoo.com

Next message: Sebastian: "Re: exploit coding"
Previous message: roland kwitt: "exploit coding"
Next in thread: Damage: "RE: Antivirus scanner DoS with zip archives"
Reply: Damage: "RE: Antivirus scanner DoS with zip archives"
Reply: Ron DuFresne: "Re: Antivirus scanner DoS with zip archives"
Reply: Nexus: "Re: Antivirus scanner DoS with zip archives"
Reply: teoat_private: "Re: Antivirus scanner DoS with zip archives"
Reply: Michel Arboi: "Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 09:58:28 PDT