[Dshield] Decompression Bombs
brian at dessent.net
Fri Feb 6 19:38:07 GMT 2004
Alonzo Hess wrote:
> > So, if you extract all files, you will most likely run out of space :-)
> > 16 x 4294967295 = 68.719.476.720 (68GB)
> > 16 x 68719476720 = 1.099.511.627.520 (1TB)
> > 16 x 1099511627520 = 17.592.186.040.320 (17TB)
> > 16 x 17592186040320 = 281.474.976.645.120 (281TB)
> > 16 x 281474976645120 = 4.503.599.626.321.920 (4,5PB)
> > Mcafee nicely detected it as "ZIP-crash file"
> Norton AV Corp edition 8.00.9374
> Scan Engine 126.96.36.199
> defs dated 2/5/04 rev5
> scanned 4369 files and didn't complain about it.
FYI, clamav 0.60 didn't bat an eyelash and reported it as malware.
Combined with exiscan-acl, it was rejected with a 5xx at SMTP time with
the message "This message contains malware (Malformed Zip)" on my
server, when I sent myself the above mentioned 42.zip. (Both Exim and
clamav are GPL and 100% free.)
More information about the list