Research on the various reactions of anti-virus software against decompression bombs. Has a thorough comparison chart and is definately a good read.
960bc488f2320ff76aabcaee668318043ab11705ecc667a76e5cb089b8ab5799<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<link REL="stylesheet" HREF="/aerasec.css" TYPE="text/css">
<meta name="AUTHOR" content="AERAsec Network Services and Security GmbH">
<meta name="COPYRIGHT" content="(C) 2003-2004 AERAsec Network Services and Security GmbH">
<meta name="KEYWORDS" content="aerasec, advisories, decompression, bomb">
<!--Debug values -->
<!--Language selector -->
<!--German default-->
<!--Call Browser features selector -->
<!--Debug values -->
<!--Browser features selector -->
<!-- test query string -->
<!-- shortcut icon -->
<link href="/favicon.ico" rel="SHORTCUT ICON">
<title>AERAsec - Network Security - Eigene Advisories</title>
<meta name="DESCRIPTION" content="AERAsec Network Services and Security GmbH, Eigene Advisories">
</head>
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080" alink="#FF0000">
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr>
<td valign="top" rowspan="6" width="170">
<img src="/images/i_secu.jpg" hspace="10" alt="Network Security" WIDTH="150" HEIGHT="150">
<p>
<!-- Menu side bar -->
<!-- Set URL suffix values -->
<!-- Set href values -->
<!-- Set image and alt text depending on language -->
<!-- End of Set image, url and alt text depending on language -->
<div class="menu">
<!-- Level 1 - Home -->
<a href="/index.html"><img class="m_plain" src="/images/m_l1_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l1_arrow_blue.gif" alt="" border="0"><img src="/images/m_l1_home.gif.de" alt="Home" border="0"></a>
<br>
<br>
<!-- Level 1 - Services -->
<a href="/services.html"><img class="m_plain" src="/images/m_l1_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l1_arrow_blue.gif" alt="" border="0"><img src="/images/m_l1_networkservices.gif.de" alt="Network Services" border="0"></a>
<br>
<br>
<!-- Level 1 - Security -->
<a href="/security.html"><img class="m_plain" src="/images/m_l1_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l1_arrow_blue.gif" alt="" border="0"><img src="/images/m_l1_networksecurity.gif.de" alt="Network Security" border="0"></a>
<br>
<!-- Level 2 - Security - Topical information -->
<img src="/images/pixel.gif" width="15" height="12" alt=" "><a href="/security/index.html"><img class="m_plain" src="/images/m_l2_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l2_arrow_blue.gif" alt="" border="0"><img src="/images/m_l2_networksecurity_topicinformation.gif.de" alt="Aktuelle Meldungen" border="0"></a>
<br>
<!-- Level 2 - Security - Own Advisories -->
<img src="/images/pixel.gif" width="15" height="12" alt=" "><a href="/security/advisories/index.html"><img class="m_plain" src="/images/m_l2_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l2_arrow_blue.gif" alt="" border="0"><img src="/images/m_l2_networksecurity_advisories.gif.de" alt="Eigene Advisories" border="0"></a>
<br>
<!-- Level 2 - Security - Archive -->
<img src="/images/pixel.gif" width="15" height="12" alt=" "><a href="/security/archiv.html"><img class="m_plain" src="/images/m_l2_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l2_arrow_blue.gif" alt="" border="0"><img src="/images/m_l2_networksecurity_archive.gif.de" alt="Archiv" border="0"></a>
<br>
<!-- Level 2 - Security - Search engine -->
<img src="/images/pixel.gif" width="15" height="12" alt=" "><a href="/security/search.html"><img class="m_plain" src="/images/m_l2_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l2_arrow_blue.gif" alt="" border="0"><img src="/images/m_l2_networksecurity_search.gif.de" alt="Suchmaschine" border="0"></a>
<br>
<!-- Level 2 - Security - Solutions -->
<img src="/images/pixel.gif" width="15" height="12" alt=" "><a href="/security/solutions/index.html"><img class="m_plain" src="/images/m_l2_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l2_arrow_blue.gif" alt="" border="0"><img src="/images/m_l2_networksecurity_solutions.gif.de" alt="Lösungen" border="0"></a>
<br>
<!-- Level 2 - Security - Services -->
<img src="/images/pixel.gif" width="15" height="12" alt=" "><a href="/security/services/index.html"><img class="m_plain" src="/images/m_l2_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l2_arrow_blue.gif" alt="" border="0"><img src="/images/m_l2_networksecurity_services.gif.de" alt="Dienstleistungen" border="0"></a>
<br>
<!-- Level 2 - Security - Systems -->
<img src="/images/pixel.gif" width="15" height="12" alt=" "><a href="/security/systems/index.html"><img class="m_plain" src="/images/m_l2_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l2_arrow_blue.gif" alt="" border="0"><img src="/images/m_l2_networksecurity_systems.gif.de" alt="Systeme" border="0"></a>
<br>
<!-- Level 2 - Security - Internet Services -->
<img src="/images/pixel.gif" width="15" height="12" alt=" "><a href="/security/internetservices/index.html"><img class="m_plain" src="/images/m_l2_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l2_arrow_blue.gif" alt="" border="0"><img src="/images/m_l2_networksecurity_internetservices.gif.de" alt="Internet-Dienste" border="0"></a>
<br>
<br>
<!-- Level 1 - Consulting -->
<a href="/consulting.html"><img class="m_plain" src="/images/m_l1_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l1_arrow_blue.gif" alt="" border="0"><img src="/images/m_l1_consulting.gif.de" alt="Consulting" border="0"></a>
<br>
<br>
<!-- Level 1 - Workshops -->
<a href="/workshops.html"><img class="m_plain" src="/images/m_l1_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l1_arrow_blue.gif" alt="" border="0"><img src="/images/m_l1_workshops.gif.de" alt="Workshops/Trainings" border="0"></a>
<br>
<br>
<!-- Level 1 - AboutUs -->
<a href="/wir.html"><img class="m_plain" src="/images/m_l1_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l1_arrow_blue.gif" alt="" border="0"><img src="/images/m_l1_aboutus.gif.de" alt="Wir über uns" border="0"></a>
<br>
<!-- Level 2 - AboutUs - Contact -->
<img src="/images/pixel.gif" width="15" height="12" alt=" "><a href="/kontakt.html"><img class="m_plain" src="/images/m_l2_arrow.gif" alt="" border="0"><img class="m_highlight" src="/images/m_l2_arrow_blue.gif" alt="" border="0"><img src="/images/m_l2_aboutus_contact.gif.de" alt="Kontakt" border="0"></a>
<br>
<br>
<!-- End of Level 1 Menus -->
<!-- Language Flags -->
<p class="smallblock">
<a href="/cgi-bin/changeurl.cgi?document_uri=/security/advisories/decompression-bomb-vulnerability.html&query_string=''&newlang=en"><img src="/images/flag_uk.gif" alt="" border="0" HEIGHT=26 width=42><br><img src="/images/m_config_language.gif.en" alt="English Version" border="0"></a>
</p>
<!-- Textonly switch -->
<!-- Full menues -->
<p class="smallblock">
<a href="/indexfull.html"><img src="/images/m_config_fullmenues.gif.de" alt="Alle Menüs" border="0"></a>
</p>
<p>
<a href="http://6bone.informatik.uni-leipzig.de/ipv6/stats/stats.php3"><img src="http://6bone.informatik.uni-leipzig.de/ipv6/stats/log.php3?URL=www.aerasec.de&ImageId=1&AltV4=2" align=ABSCENTER alt="IPv6 website counter" border="0"></a>
</p>
<!-- image preload -->
<img src="/images/m_l1_arrow_blue.gif" alt="" class="shrink">
<img src="/images/m_l2_arrow_blue.gif" alt="" class="shrink">
<img src="/images/m_l3_arrow_blue.gif" alt="" class="shrink">
</div> <!-- class="menu" -->
</td>
<td valign="top" nowrap align="center">
<a href="index.html"><img src="/images/logo_225.gif" alt="AERAsec" border="0" WIDTH="225" HEIGHT="45"></a>
</td>
</tr>
<tr>
<td valign="top" nowrap align="center">
<img src="/images/h_secu.gif.de" alt="Network Security">
<br>
<img src="/images/h_secu_advi.gif.de" alt="Eigene Advisories">
</td>
</tr>
<tr>
<td valign="top" nowrap align="center">
<br>
<img border="0" src="/images/dot12.gif" width="184" height="8" alt="">
</td>
</tr>
<tr>
<td>
<table width="90%" align="center">
<tr>
<td>
<br>
System: Several <b>Anti-Virus Scanner Software, Web browsers, Applications</b>, possibly other software classes</b>
<br>
Topic: <b>Possible Denial-of-Service caused by decompression bombs</b>
<br>
<br>
</td>
</tr>
<tr>
<td>
URLs of this advisory:<br>
<a href="http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html">http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html</a> (HTML)<br>
<a href="http://www.aerasec.de/security/advisories/txt/decompressionbomb-overview.txt">http://www.aerasec.de/security/advisories/txt/decompressionbomb-overview.txt</a> (short overview in TXT)<br>
See also: <a href="http://www.aerasec.de/security/index.html?id=ae-200402-006">ae-200402-006</a><br>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<title>Decompression bomb vulnerability</title>
<meta name="author"
content="AERAsec Network Services and Security GmbH">
<meta name="description"
content="Overview about the decompression bomb vulnerabilities serveral anti-virus software">
</head>
<body>
<h2>Decompression bomb vulnerabilities</h2>
<pre>(P) & (C) 2004 AERAsec Network Services and Security GmbH<br> The information in this advisory may be freely distributed or reproduced,<br> provided that the advisory is not modified in any way.<br></pre>
<h3>Information</h3>
It looks like bzip2 bombs (see our advisory: <a
href="bzip2bomb-antivirusengines.html">bzip2bomb-antivirusengines</a>)
are not the only ones that can cause problems. We found that
decompression bombs in general
are causing problems. Compression is used in many applications, but
only seldom maximum size limits are checked during decompression of
untrusted content.<br>
<br>
We've created several bombs now and tested not only the decompression
unit
of antivirus engines.<br>
Examples are available here: <a
href="ftp://ftp.aerasec.de/pub/advisories/decompressionbombs/">ftp://ftp.aerasec.de/pub/advisories/decompressionbombs/</a><br>
<ul>
<li style="font-style: italic;">simple bombs</li>
<ul>
<li>compressed binaries containing a huge number of the same char
(binary value)<br>
</li>
</ul>
<li style="font-style: italic;">complex MIME bombs</li>
<ul>
<li>a compressed mailbox containing one e-mail with MIME
parts, the last MIME part contains a virus</li>
</ul>
<li style="font-style: italic;">gzip'ed HTML bombs</li>
<ul>
<li>a gzip'ed HTML file, containing a huge amount of spare
chars</li>
</ul>
<li style="font-style: italic;">picture bombs</li>
<ul>
<li>a unicolor picture in GIF or PNG format with a very big width
and height<br>
</li>
</ul>
<li style="font-style: italic;">OpenOffice bombs</li>
<ul>
<li>OpenOffice data ZIP file containing an additional huge file<br>
</li>
</ul>
<ul>
</ul>
</ul>
<h4>Bomb size ratios</h4>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left; width: 100%;">
<tbody>
<tr>
<th style="vertical-align: top;">Type<br>
</th>
<th style="vertical-align: top;">Used compression<br>
</th>
<th style="vertical-align: top;">Original size<br>
</th>
<th style="vertical-align: top;">Compressed size</th>
<th style="vertical-align: top;">Ratio<br>
</th>
</tr>
<tr>
<td style="vertical-align: top;">simple bomb<br>
</td>
<td style="vertical-align: top;">gzip'ed gzip'ed gzip (3 stages)<br>
</td>
<td style="vertical-align: top;">100 GigaByte<br>
</td>
<td style="vertical-align: top;">5928 Bytes<br>
</td>
<td style="vertical-align: top;">1.7e7:1<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">simple bomb</td>
<td style="vertical-align: top;">gzip'ed gzip (2 stages)</td>
<td style="vertical-align: top;">100 GigaByte</td>
<td style="vertical-align: top;">233782 Bytes </td>
<td style="vertical-align: top;">427748:1<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">simple bomb</td>
<td style="vertical-align: top;">gzip</td>
<td style="vertical-align: top;">100 GigaByte</td>
<td style="vertical-align: top;">97 MegaByte</td>
<td style="vertical-align: top;">1000:1</td>
</tr>
<tr>
<td style="vertical-align: top;">simple bomb</td>
<td style="vertical-align: top;">bzip2'ed bzip2</td>
<td style="vertical-align: top;">100 GigaByte</td>
<td style="vertical-align: top;">220 Bytes </td>
<td style="vertical-align: top;">4.5e8:1<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">simple bomb</td>
<td style="vertical-align: top;">bzip2<br>
</td>
<td style="vertical-align: top;">100 GigaByte</td>
<td style="vertical-align: top;">69745 Bytes </td>
<td style="vertical-align: top;">1.6e6:1<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">PNG picture bomb<br>
</td>
<td style="vertical-align: top;">deflate<br>
</td>
<td style="vertical-align: top;">19000 x 19000, 1-bit (45 MB)<br>
expand in 24-bit color to 1 GB<br>
</td>
<td style="vertical-align: top;">44024 Bytes </td>
<td style="vertical-align: top;">1000:1<br>
22e3:1<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">GIF picture bomb<br>
</td>
<td style="vertical-align: top;">LZW<br>
</td>
<td style="vertical-align: top;">6000 x 6000, 8-bit (288 MB)<br>
expand in 24-bit color to 100MB</td>
<td style="vertical-align: top;">25527 Bytes</td>
<td style="vertical-align: top;">1e4:1</td>
</tr>
<tr>
<td style="vertical-align: top;">OpenOffice bomb<br>
</td>
<td style="vertical-align: top;">deflate<br>
</td>
<td style="vertical-align: top;">100 GigaByte<br>
</td>
<td style="vertical-align: top;">97 MegaByte<br>
</td>
<td style="vertical-align: top;">1000:1<br>
</td>
</tr>
</tbody>
</table>
<br>
<h4>Possible impacts</h4>
During our investigations we found the following possible impacts:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left; width: 100%;">
<tbody>
<tr>
<th style="vertical-align: top;">Reason<br>
</th>
<th style="vertical-align: top;">System behavior<br>
</th>
<th style="vertical-align: top;">Impact</th>
</tr>
<tr>
<td style="vertical-align: top;">Application crashes because of
out-of-memory</td>
<td style="vertical-align: top;">Process usually terminated by
kernel</td>
<td style="vertical-align: top;">Denial-of-Service against
application<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">Application consumes a lot of
virtual memory</td>
<td style="vertical-align: top;">High CPU load, high disk load
during paging, no or slow reaction. (On
Microsoft Windows systems also increasing of paging file can be
triggered)</td>
<td style="vertical-align: top;">Denial-of-Service against
application, also against system because of heavy load </td>
</tr>
<tr>
<td style="vertical-align: top;">Application crashed because of
out-of-disk space</td>
<td style="vertical-align: top;">Normally after a crash the
application doesn't
remove the temporary file, system stays in out-of-disk-space state.<br>
</td>
<td style="vertical-align: top;">Denial-of-Service against
application, system itself
and other applications<br>
</td>
</tr>
</tbody>
</table>
<br>
<h3>Contents</h3>
<ul>
<li>Affected applications<br>
</li>
<ul>
<li><a href="#Anti-Virus_Scanners">Anti-Virus Scanners</a></li>
<li><a href="#Web_browsers">Web_Browsers</a></li>
</ul>
<ul>
<li><a href="#Other_applications">Other Applications</a><br>
</li>
</ul>
<li><a href="#History">History & Credits</a><br>
</li>
</ul>
<h3>Contributions</h3>
We already received a number of contributions, but there remains a
large number of existing applications to be tested.<br>
Feel free to contribute anything that's missing. We can either add it
anonymously or with attribution, however you prefer. You can reach us
at info at aerasec dot de.<br>
<hr style="width: 100%; height: 1px;" noshade="noshade">
<h3><a name="Anti-Virus_Scanners"></a>Anti-Virus Scanners</h3>
Unless stated otherwise, we define vulnerable to mean that the
application may lead to an out-of-memory, out-of-diskspace, or CPU
overload state during the dump decompression of untrusted content.<br>
<br>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left; width: 100%;">
<tbody>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"
rowspan="1" colspan="4"><small>Type of bomb<br>
</small></th>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"
rowspan="1" colspan="2"><small> bzip2</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"
rowspan="1" colspan="2"><small>gzip<br>
</small></th>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Vendor<br>
</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Product,
Version, OS</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>simple<br>
</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>complex<br>
</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>simple<br>
</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>complex<br>
</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Information<br>
</small></th>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Trend
Micro<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>InterScan
Viruswall for<br>
- Linux 3.6 build 1160 and higher<br>
- Solaris 3.6 build 1160 and higher<br>
- Sendmail Switch 3.6 + Patch 2<br>
- Linux 3.8<br>
- Solaris 3.8<br>
- Solaris - CSP 3.6<br>
- AIX 3.6<br>
- HP-UX 3.6<br>
- NT 3.53<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 255, 204);"><small>vulnerable,
but<br>
fix available (7,9)<br>
bomb detection by reaching limit<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 255, 204);"><small>vulnerable,
but<br>
fix available (7,9)<br>
bomb detection by reaching limit</small><small></small><small> </small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 255, 204);"><small>vulnerable,
but<br>
fix available (7,9)<br>
bomb detection by reaching limit</small><small></small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 255, 204);"><small>vulnerable,
but<br>
fix available (7,9)<br>
bomb detection by reaching limit</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small><a
href="http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=18198"
target="new">Trend
Micro KB #18198</a><br>
<a
href="http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=18200"
target="new">Trend
Micro KB #18200</a><br>
<a
href="http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=18219"
target="new">Trend
Micro KB #18219</a><br>
<a
href="http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=14203"
target="new">Trend
Micro KB #14203</a><br>
</small></small><small><small>Config
parameters:</small></small><br>
<small><small>[Scan-Configuration]<br>
extract_limit_size=<br>
limit in vscan via command line option:<br>
-E<size><unit><br>
</small></small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Network
Associates<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>McAfee
Virus Scan<br>
for Linux v4.1.60 or v4.2.40<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable
(a,b) (11)<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>strangeness
(b) (11)</small><small><br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>strangeness
(b) (6)</small><small></small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>strangeness
(b) (6)</small><small></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small>For
command line scanner use<br>
--timeout <seconds> (documented since 4.3.20)</small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Kaspersky
Labs</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Kaspersky
AntiVirus<br>
for Linux 4.0.2.2</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(153, 255, 153);"><small>bomb
detection</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(153, 255, 153);"><small>bomb
detection</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(153, 255, 153);"><small>bomb
detection</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(153, 255, 153);"><small>bomb
detection</small><small></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Kaspersky
Labs</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Kaspersky
AntiVirus<br>
for Linux 4.0.3.0</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small>vulnerable<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; background-color: rgb(204, 204, 255);">
<div style="text-align: center;"><small>not
vulnerable</small><br>
</div>
<div style="text-align: center;"><small>(8)</small></div>
</td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; background-color: rgb(204, 204, 255);">
<div style="text-align: center;"><small>not
vulnerable</small><br>
</div>
<div style="text-align: center;"><small>(2)</small></div>
</td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; background-color: rgb(204, 204, 255);">
<div style="text-align: center;"><small>not
vulnerable</small><br>
</div>
<div style="text-align: center;"><small>(2)</small></div>
</td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><br>
</td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Kaspersky
Labs<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Kaspersky
AntiVirus<br>
for Linux 5.0.1.0 (probably all versions since 4.5)<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(204, 204, 255);"><small>not
vulnerable, but no warning (1)<br>
</small><small></small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>FRISK<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>F-PROT
AntiVirus<br>
for Linux 4.3.2 (Engine 3.14.7)<br>
</small><small> for Linux 4.3.4 (Engine 3.14.8)</small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(204, 204, 204); font-family: helvetica,arial,sans-serif;"><small>no
bzip2 support <br>
</small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(204, 204, 204); font-family: helvetica,arial,sans-serif;"><small>no
bzip2 support</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(204, 204, 255);"><small>not
vulnerable, but no warning<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable
(3)<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small>Memory-only
scanner</small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>AMaViS</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>amavis-0.2.x,
amavis-0.3.x, amavisd (all </small><small>versions)</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small><a
href="http://www.amavis.org/security/asa-2004-1.txt" target="new">ASA-2004-1</a><br>
(currently no solution!)<br>
</small> </small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>AMaViS<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>amavisd-new</small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(153, 255, 153); font-family: helvetica,arial,sans-serif;"><small>bomb
detection
by
reaching limit<br>
</small><small style="font-weight: bold;"> since version 20021116</small><br>
</td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(153, 255, 153); font-family: helvetica,arial,sans-serif;"><small>bomb
detection </small><small>by
reaching limit<br>
</small><small style="font-weight: bold;"> since version 20021116</small><br>
</td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(153, 255, 153); font-family: helvetica,arial,sans-serif;"><small>bomb
detection </small><small>by
reaching limit<br>
</small><small style="font-weight: bold;"> since version 20021116</small><br>
</td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(153, 255, 153); font-family: helvetica,arial,sans-serif;"><small>bomb
detection </small><small>by
reaching limit<br>
</small><small style="font-weight: bold;"> since version 20021116</small><br>
</td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small><a
href="http://www.amavis.org/security/asa-2004-1.txt" target="new">ASA-2004-1</a></small></small><br>
<small><small>Config
parameters:<br>
<span style="font-style: italic;">$MAXLEVELS</span><br>
<span style="font-style: italic;">$MAXFILES</span><br>
<span style="font-style: italic;">$MIN_EXPANSION_QUOTA</span><br>
<span style="font-style: italic;">$MAX_EXPANSION_QUOTA</span><span
style="font-style: italic;"><br>
$MIN_EXPANSION_FACTOR<br>
</span><span style="font-style: italic;">$MAX_EXPANSION_FACTOR</span>
</small> <br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>AMaViS</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>amavis-ng</small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(153, 255, 153); font-family: helvetica,arial,sans-serif;"><small>bomb
detection </small><small>by
reaching limit</small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(153, 255, 153); font-family: helvetica,arial,sans-serif;"><small>bomb
detection </small><small>by
reaching limit</small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(153, 255, 153); font-family: helvetica,arial,sans-serif;"><small>bomb
detection </small><small>by
reaching limit</small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(153, 255, 153); font-family: helvetica,arial,sans-serif;"><small>bomb
detection </small><small>by
reaching limit</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small><a
href="http://www.amavis.org/security/asa-2004-1.txt" target="new">ASA-2004-1</a><br>
</small></small><small><small>Config
parameters:<br>
<span style="font-style: italic;">maxspace</span></small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>SOFTWIN<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>bitdefender/Linux-Console
v7.0<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(204, 204, 255);"><small>not
vulnerable, but no warning</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small>not
vulnerable,but see (4)<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(204, 204, 255);"><small>not
vulnerable, but no warning<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small>not
vulnerable, but see (4)<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Sophos<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Sweep
Version 3.77, Januar 2004 [Linux/Intel]<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small>vulnerable
(b) (5,12)</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable
(b) (5)<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center;"><small>still</small><small>
untested</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small>not
vulnerable, but </small><small>no virus found</small><small></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>H+BEDV<br>
</small><small>Central
Command</small><br>
</td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>AntiVir
/ Linux Version 2.0.9-6<br>
</small><small>Vexira</small><br>
<small> </small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(204, 204, 255);"><small>not
vulnerable by </small><small>reaching limit (b) (7,10)<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>still</small><small>
untested</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(204, 204, 255);"><small>not
vulnerable by </small><small>reaching limit </small><small>(b) (7,10</small><small>)</small><small></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(204, 204, 255);"><small>not
vulnerable by</small><small> </small><small>reaching limit (b) (7</small>,<small>10)</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small><a
href="http://archives.neohapsis.com/archives/postfix/2004-01/1335.html"
target="new">posting on postfix maillist regarding Vexira</a><br>
</small></small><small><small>Config
parameters </small></small><small><small>(AvMailGate)</small></small><br>
<small><small>MaxFilesizeInArchive<br>
</small></small></td>
</tr>
</tbody>
</table>
<br>
<h4>Notes</h4>
<ol>
<li>Stops scanning a 10 GByte gzip'ed gzip after 1.3 GB</li>
<li>Reports
"<span style="font-style: italic;">GZIP: unknown format</span>"
(0x31-10G) or "<span style="font-style: italic;">packed:
MIME.Broken</span>" (0x31-1G)<br>
</li>
<li>Process was terminated by kernel: <span
style="font-style: italic;">"Out of Memory: Killed process"</span></li>
<li>Virus was not detected after 10 MB or more spare part size</li>
<li>Crashes with segmentation fault after both tmp-files reach size
of approx. 2 GB<br>
</li>
<li>Time limit is reached during decompression without a
proper report to the user</li>
<li>Temporary files in /tmp have permissions 644 (o+r), can be fixed
by settting proper umask (077) before calling binary<br>
</li>
<li>Reports
"<span style="font-style: italic;">I/O error</span>" (100GB)</li>
<li><span style="font-weight: bold;">Exit code</span> of vscan is <span
style="font-weight: bold;">0</span> in case of reaching decompression
size
limit or archive beeing encrypted (e.g. ZIP password protection), only
1 in
case a virus was found</li>
<li>Reports "...<span style="font-style: italic;">extract error (File
size limit reached.)</span>", but <span style="font-weight: bold;">exit
code</span> is <span style="font-weight: bold;">0</span> (zero)<small></small></li>
<li>Reports "<span style="font-style: italic;">is corrupted.</span>"
when scanning the 10 or 100 GB file<br>
</li>
<li>Running with "unset LANG" it reports "<span
style="font-style: italic;">unexpected error</span>" and terminates
with exit code 2 ("<span style="font-style: italic;">If some error
preventing further execution is discovered.</span>"), using additonal
option -eec for extended error codes it reports 8 ("<span
style="font-style: italic;">If survivable errors have occurred.</span>")<br>
</li>
</ol>
<h4>Contributions by<br>
</h4>
<ol style="list-style-type: lower-alpha;">
<li>Ralf Hildebrandt, Charite - Universitätsmedizin Berlin</li>
<li>AMaVis team<br>
</li>
</ol>
<h4>Used command line switches</h4>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left; width: 100%;">
<tbody>
<tr>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Vendor</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Product<small><br>
</small></small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Executable<br>
</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Used
options</small><br>
</th>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>FRISK</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>F-PROT
AntiVirus for Linux<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>f-prot<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>-archive
-all -packed<br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>SOFTWIN</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>bitdefender
for Linux<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>bdc<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>--arc
--files --mail --all<br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Trend
Micro</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>InterScan
Viruswall for Linux<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>vscan<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>-za
-E1G<br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Network
Associates<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>McAfee
Virus Scan for Linux </small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>uvscan<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>--mailbox
--mime --unzip<br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Sophos</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Sweep
Version</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>sweep<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>-f
-all -archive</small><small><br>
</small></td>
</tr>
</tbody>
</table>
<br>
<hr style="width: 100%; height: 1px;" noshade="noshade">
<h3><a name="Web_browsers"></a>Web browsers</h3>
HTML Decompression bombs can also be sent to web browser, should gzip
transfer encoding be supported.<br>
See here for some small examples: <a href="html-bomb/index.html"
target="new">html-bomb/examples</a>.<br>
<br>
Unless stated otherwise, we define vulnerable to mean that the
application may lead to an out-of-memory, out-of-diskspace, or CPU
overload state during the dump decompression of untrusted content.<br>
<br>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left; width: 100%;">
<tbody>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
<th rowspan="1" colspan="3"
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>Type
of bomb<br>
</small></th>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Vendor<br>
</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Product,
Version, OS</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>gzip'ed
HTML<br>
</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>GIF</small><small><br>
</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center;"><small>PNG</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Information<br>
</small></th>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Mozilla<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Mozilla<br>
1.4/Windows<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable<br>
very busy during decompression<br>
eats all virtual memory<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(153, 255, 153);"><small>100M
displayed<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 255, 153);"><small>100M
displayed,<br>
1G not displayed, but no crash<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small><a
href="http://bugzilla.mozilla.org/show_bug.cgi?id=233262" target="new">Bugzilla#233262</a><br>
</small></small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Mozilla</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Mozilla<br>
1.5/Linux</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center;"><small>still</small><small>
untested</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center;"><small>still</small><small>
untested</small></td>
<td
style="vertical-align: top; background-color: rgb(255, 204, 204);">
<div style="text-align: center;"><small><span
style="font-family: helvetica,arial,sans-serif;">vulnerable</span></small><small><span
style="font-family: helvetica,arial,sans-serif;"> (a)<br>
</span></small><small><span
style="font-family: helvetica,arial,sans-serif;">crashes on 1G <br>
</span></small></div>
</td>
<td style="vertical-align: top;"><small><small><a
href="http://bugzilla.mozilla.org/show_bug.cgi?id=233262" target="new"><br>
</a></small></small> </td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Mozilla</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Mozilla<br>
1.6/Linux</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small>vulnerable
(c)<br>
process killed after reaching virtual memory limit (1G)</small><small></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 255, 153);"><small>100M
ok</small><small></small></td>
<td
style="vertical-align: top; background-color: rgb(255, 204, 204);">
<div style="text-align: center;"><small><span
style="font-family: helvetica,arial,sans-serif;">vulnerable</span></small><small><span
style="font-family: helvetica,arial,sans-serif;"> (c)<br>
</span></small><small><span
style="font-family: helvetica,arial,sans-serif;">process killed rather
soon <br>
</span></small></div>
</td>
<td style="vertical-align: top;"><small><small><a
href="http://bugzilla.mozilla.org/show_bug.cgi?id=233262" target="new"><br>
</a></small></small> </td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Mozilla</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Mozilla<br>
1.6/Win32</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 255, 204);"><small>safe
(c) (2)<br>
<br>
</small><small></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 255, 153);"><small>100M
ok</small><small></small></td>
<td
style="vertical-align: top; background-color: rgb(255, 255, 204);">
<div style="text-align: center;"><small><span
style="font-family: helvetica,arial,sans-serif;">strangeness (c) (3)</span></small><small><span
style="font-family: helvetica,arial,sans-serif;"><br>
</span></small></div>
</td>
<td style="vertical-align: top;"><small><small><a
href="http://bugzilla.mozilla.org/show_bug.cgi?id=233262" target="new"><br>
</a></small></small> </td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Opera<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Opera<br>
7.23 Build 3227/Windows<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable<br>
killed after reaching limit of available virtual memory during
decompression<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(153, 255, 153);"><small>100M
ok<br>
</small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(255, 204, 204);"><small><span
style="font-family: helvetica,arial,sans-serif;">vulnerable<br>
crashes on 1G<br>
</span></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Opera<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Opera<br>
7.23 Build 518 /Linux<br>
</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>still
untested </small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(153, 255, 153);"><small>100M
ok<br>
</small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(255, 204, 204);"><small><span
style="font-family: helvetica,arial,sans-serif;">vulnerable<br>
crashes on 1G<br>
</span></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Microsoft<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Internet
Explorer<br>
6.0.2800.1106<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small><small><big>restarting
during decompression (100M)<br>
<a href="html-bomb/ms-ie-60-restart.png"><img
src="html-bomb/ms-ie-60-restart.png" title=""
alt="Microsoft Internet Explorer restart message during decompression of gzip'ed HTML"
style="border: 0px solid ; width: 150px; height: 78px;"></a><br>
</big></small></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 255, 153);"><small><small><big>safe,
but<br>
100M was not displayed<br>
</big></small></small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(153, 255, 153);"><small><span
style="font-family: helvetica,arial,sans-serif;">safe,<br>
error messages were displayed</span></small><br>
</td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center;"><small><small><br>
</small></small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Microsoft</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Internet
Explorer<br>
5.00.3700.1000<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 255, 204);"><small>rendering
problems after<br>
reaching the virtual memory limit<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 255, 153);"><small><small><big>safe,
but<br>
100M was not displayed</big></small></small></td>
<td
style="vertical-align: top; text-align: center; background-color: rgb(204, 204, 204);"><small><span
style="font-family: helvetica,arial,sans-serif;">not supported</span></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>KDE<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Konqueror<br>
3.1.5/Linux<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center;"><small>still</small><small>
untested</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);">
<div style="text-align: center;"><small>vulnerable </small><small>(b)<br>
crashes on 100M (1)</small><small></small><br>
</div>
</td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small></small>
<div style="text-align: center;"><small>still</small><small>
untested</small><br>
</div>
</td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
</tbody>
</table>
<br>
<h4>Notes</h4>
<ol>
<li>Process was terminated by kernel: <span
style="font-style: italic;">"Out of Memory: Killed process"</span></li>
<li>99% CPU load and 1.5GB memory allocation</li>
<li>Recognices the picture size (scroll bars are shown), but no
content is displayed<br>
</li>
</ol>
<h4>Contributions by<br>
</h4>
<ol style="list-style-type: lower-alpha;">
<li>AMaVis team</li>
<li>Ralf Hildebrandt, Charite - Universitätsmedizin Berlin</li>
<li>Martin Kirst, TU Chemitz<br>
</li>
</ol>
<h4>Additional comments</h4>
<ul>
<li>Browsers in SmartPhones or PDAs:</li>
<ul>
<li>Currenty, we have no reports whether browsers in smartphones or
PDAs are vulnerable, too. Since they generally do not have much
physical memory, and data is probably compressed <span
style="font-style: italic;"></span>over the low bitrate connection,
their vulnerability is to be expected.<br>
</li>
</ul>
</ul>
<hr style="width: 100%; height: 1px;" noshade="noshade">
<h3><a name="Other_applications"></a>Other applications</h3>
We currently haven't tested any other applications. Every application
that uses compressed data is potentially vulnerable, unless it has a
sane<br>
maximum limit for decompression. Otherwise, working with content from
untrusted sources can yield to denial-of-service.<br>
<br>
Currently related available bombs:
<ul>
<li><a
href="ftp://ftp.aerasec.de/pub/advisories/decompressionbombs/pictures/">picture
bombs</a></li>
<li><a
href="ftp://ftp.aerasec.de/pub/advisories/decompressionbombs/openoffice/">OpenOffice
bombs</a></li>
</ul>
<br>
We started here a collection:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left; width: 100%;">
<tbody>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
<td style="vertical-align: top;"><br>
</td>
<th rowspan="1" colspan="5"
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>Possible
impact on bombs<br>
</small></th>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Vendor<br>
</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Product,
Version, OS</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Compression
usage<br>
</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>ZIP<br>
</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>GZIP<br>
</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>BZIP2<br>
</small></th>
<th
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif;"><small>GIF</small><small><br>
</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center;"><small>PNG</small></th>
<th
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>Information<br>
</small></th>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>OpenOffice.org</small><small><br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>OpenOffice.org
1.1.0/Windows<br>
</small><small> </small></td>
<td style="vertical-align: top;"><small><span
style="font-family: helvetica,arial,sans-serif;">Storage file is a
ZIP, containing documents, styles, pictures...</span></small><br>
</td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(255, 204, 204);"><small>vulnerable
(1)</small><br>
<small> </small><small> </small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; text-align: center; font-family: helvetica,arial,sans-serif; background-color: rgb(153, 255, 153);"><small>safe,
but heavy load during decompression (100M)</small><small></small><small>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 255, 153);"><small>save,
but heavy load during decompression (1G)</small><small></small><small></small><small><br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small><br>
</small></small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>The
GIMP<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>The
GIMP for Windows 1.2.4<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>GIF
and PNG related ones<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 255, 153);"><small>safe
(100M)<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small>heavy
load, causes an unknown software exception (<a
href="picture-bomb/gipmcrash-1GB-gif.png" target="new">screenshot</a>)<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>The
GIMP<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>The
GIMP for Linux 1.2.5<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>GIF
and PNG related ones<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 255, 153);"><small>safe
(100M)<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small>heavy
load, causes system overload (2)<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><br>
</small></td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>The
GIMP</small><small></small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>The
GIMP for Windows 2.0-pre2</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>GIF
and PNG related ones</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 255, 153);"><small>safe
(100M)<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(255, 204, 204);"><small>heavy
load<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><br>
</td>
</tr>
<tr>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; font-style: italic;"><small>Unknown</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><span
style="font-style: italic;">Unknown SOAP client</span><br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small>gzip'ed
XML<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center;"><small>still
untested<br>
</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif; text-align: center; background-color: rgb(153, 153, 153);"><small>n.a.</small></td>
<td
style="vertical-align: top; background-color: rgb(153, 153, 153); font-family: helvetica,arial,sans-serif;">
<div style="text-align: center;"><small>n.a.<small><br>
</small></small></div>
</td>
<td
style="vertical-align: top; font-family: helvetica,arial,sans-serif;"><small><small>Results
would be interesting...</small><br>
</small></td>
</tr>
</tbody>
</table>
<br>
<h4>Notes</h4>
<ol>
<li>On Microsoft Windows, out-of-disc space occurs in user's TEMP
folder (usually resides on C:) in case of the <span
style="font-style: italic;">OpenOffice-Bomb</span></li>
<li>The Gimp sent X into an unusable state after running out of disk
space, the machine had to be rebooted.<span style="font-style: italic;"><br>
</span></li>
</ol>
<hr style="width: 100%; height: 1px;" noshade="noshade">
<h3><a name="History"></a>History & Credits<br>
</h3>
<h4>History of this page</h4>
<ul>
<li>2004-01-16: first version</li>
<li>2004-01-19: extend information</li>
<li>2004-01-20: add AMaViS information and result of further
investigations</li>
<li>2004-01-21: result of further
investigations</li>
<li>2004-01-27: review, minor adds of further
investigations</li>
<li>2004-01-28: add an additional workaround<br>
</li>
<li>2004-02-03: finalizing before publishing</li>
<li>2004-02-04: minor fix</li>
<li>2004-02-09: add contributions for Mozilla, add hint for NAI uvscan</li>
<li>2004-02-10: add (same) result of new version of FRISK's f-prot</li>
</ul>
<h4>History of this issue itself<br>
</h4>
<ul>
<li>early '90s: ARC/LZH/ZIP/RAR-Bombs were used in DoS of Fidonet
systems</li>
<li>2002-01-01: Paul L. Daniels publishes first version of 'arbomb'
(Archive "Bomb" detection utility)</li>
<li>2003-08-29: Posting by Steve Wray on mailinglist FullDisclosure
mentions a bzip2 bomb</li>
<li>2003-09-01: AERAsec found that some antivirus software is
vulnerable against the posted bzip2 bomb</li>
<li>2004-01-09: Publishing of the advisory <a
href="file:///O:/wwwaerasec/wwwtest.muc.aerasec.de/pub/security/advisories/bzip2bomb-antivirusengines.html">bzip2bomb-antivirusengines</a></li>
<li>2004-01-15: Investigation of gzip'ed HTML and PNG/GIF bombs<br>
</li>
<li>2004-02-03: Publishing of this advisory</li>
</ul>
<h4>Author</h4>
<ul>
<li>Dr. Peter Bieringer, AERAsec Network Services and Security GmbH</li>
</ul>
<h4>Credits</h4>
<ul>
<li>Ralf Hildebrandt, Charite - Universitätsmedizin Berlin</li>
<ul>
<li>Reporting some test results</li>
</ul>
<li>Harald Geiger, AERAsec Network Services and Security GmbH</li>
<ul>
<li>Reporting some test results</li>
</ul>
<li>AMaVis team</li>
<ul>
<li>Reporting test results</li>
</ul>
<li>Martin F. Krafft</li>
<ul>
<li>Review of this adivsory</li>
</ul>
<li>Martin Kirst, TU Chemitz</li>
<ul>
<li>Reporting test results</li>
</ul>
</ul>
<hr style="width: 100%; height: 1px;" noshade="noshade">
</body>
</html>
</td>
</tr>
</td>
</table>
</tr>
<tr>
<td valign="top" nowrap align="center">
<br>
<img border="0" src="/images/dot12.gif" width="184" height="8" alt="">
</td>
</tr>
</table>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed