[Dshield] Decompression Bombs

Brian Dessent brian at dessent.net
Fri Feb 6 19:38:07 GMT 2004


Alonzo Hess wrote:

> > So, if you extract all files, you will most likely run out of space :-)
> >
> >
> > 16 x 4294967295       = 68.719.476.720 (68GB)
> > 16 x 68719476720      = 1.099.511.627.520 (1TB)
> > 16 x 1099511627520    = 17.592.186.040.320 (17TB)
> > 16 x 17592186040320   = 281.474.976.645.120 (281TB)
> > 16 x 281474976645120  = 4.503.599.626.321.920 (4,5PB)
> >
> >
> > Mcafee nicely detected it as "ZIP-crash file"
> >
> Norton AV Corp edition 8.00.9374
> Scan Engine 4.1.0.15
> defs dated 2/5/04 rev5
> 
> scanned 4369 files and didn't complain about it.

FYI, clamav 0.60 didn't bat an eyelash and reported it as malware. 
Combined with exiscan-acl, it was rejected with a 5xx at SMTP time with
the message "This message contains malware (Malformed Zip)" on my
server, when I sent myself the above mentioned 42.zip.  (Both Exim and
clamav are GPL and 100% free.)

Brian




More information about the list mailing list