Hi folks, Not just the Antivirus engine can be targeted here. I used to install/configure/admin & support certain email filtering products that would do the whole virus scan thang as well as the normal content and attachment filtering. One of these could be killed by a simple .pdf file purely because the scanning engine would time out and kill the service. You could probably get the same effect with malformed file as well as the constructed ones mentioned by Michel. I agree that the best way to deal with it is to quarantine the file and flag the admin if the content analysis engine times out, rather than let it run and starve the box. Most of these mail servers will allow a maximum attachment size as well, so _really_ silly files can be blocked. To extrapolate further, I have used similar techniques to bypass content filtering, working on the principle that the scanning/decoding engine will do _just_ that, allowing you to play with file types and archives such that you can get what you want past the mail server. Let's say I wanted to get a .jpg file of those Lego pr0n pictures into somewhere (nasty piece of work that I am ;-) - now .jpg files are blocked; the engine will pick up these embedded in word docs or powerpoint presentations as these are known filetypes. What if I base64 piccy.jpg as piccy.txt and zip that ? Unzip it, yup, that's a text file - all clear ;-) Add noddy stuff like ROT13 and the like in case a base64 decoder suddenly appears.... Just a few random rumblings... Cheers. ----- Original Message ----- From: "Michel Arboi" <arboiat_private> To: <VULN-DEVat_private> Sent: Sunday, June 17, 2001 11:11 PM Subject: Antivirus scanner DoS with zip archives [snip] > I'd appreciate comments on this weird idea... [snip]
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 15:32:35 PDT