AERAsec - Network Security - Eigene Advisories - bzip2-Bombe und Antivirus-Software

System: Several Anti-Virus Scanner Software
Topic: Possible Denial-of-Service caused by bzip2 bomb
URLs of this advisory:
http://www.aerasec.de/security/advisories/bzip2bomb-antivirusengines.html (HTML)
http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines.txt (TXT)
See also: ae-200401-020
>>> Follow up: ae-200402-006, Decompression bomb vulnerability <<<

			Topic: bzip2 bomb vulnerability of antivirus decompression engines

(P) & (C) 2004-2008 AERAsec Network Services and Security GmbH
 The information in this advisory may be freely distributed or reproduced,
  provided that the advisory is not modified in any way.


Main URLs:
==========
http://www.aerasec.de/
http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines.txt
http://www.aerasec.de/security/advisories/bzip2bomb-antivirusengines.html
http://www.aerasec.de/security/index.html?id=ae-200401-020

bzip2 bomb examples (disarmed versions, see README how to arm):
ftp://ftp.aerasec.de/pub/advisories/bzip2bomb/

http://msgs.securepoint.com/cgi-bin/get/bugtraq0401/70.html
http://lists.netsys.com/pipermail/full-disclosure/2004-January/015420.html
http://www.heise.de/newsticker/data/dab-13.01.04-000/


Contact:
========
Via e-mail: info at aerasec dot de


URLs for further information:
=============================
http://lists.netsys.com/pipermail/full-disclosure/2003-August/009255.html
http://www.linux-community.de/Neues/story?storyid=11213&commentid=40051&order=location#40051
 (in German)
http://www.pldaniels.org/arbomb/
http://freshmeat.net/projects/arbomb/
http://www.ijs.si/software/amavisd/


Affected versions:
==================
* kavscanner of
   Kaspersky AntiVirus for Linux 5.0.1.0 (probably all versions since 4.0.3.0)
* vscan of
   Trend Micro InterScan VirusWall 3.8 Build 1130 (probably other versions, too)
* uvscan of
   McAfee Virus Scan for Linux v4.16.0 (probably other versions, too)
* AMaViS 0.2.x/0.3.x, amavisd below amavisd-new-20021116, amavis-ng

Perhaps software from other vendors, too.


Vulnerability:
==============

The scanners mentioned above are still vulnerable to bzip2 bombs.

Normally, every AntiVirus-Software is able to scan in archives for viruses.
Therefore, they extract the archive before scanning by using a decompression engine
(mostly built-in). Many of this decompression engines have a level
limit, but very rare have a maximum size limit or smart code for an anomaly
detection.


Impact:
=======

Because most decompression engines are storing the decompressed file on the local
filesystem (mostly /tmp), this can lead to a denial of service (DoS):
- No space on file system where /tmp resides, e.g.
   / filesystem (in case of /tmp isn't located on a dedicated partition)
   /var filesystem (in case of /tmp is soft linked to /var/tmp and /var is located
    on a dedicated partition
- High CPU usage during decompression
- No further scanning capabilities (because of full filesystem)
- System lock down because of full filesystem


Main author:
============
 Dr. Peter Bieringer, AERAsec Network Services and Security GmbH
   

Credits:
========
 Steve Wray
   for bringing up this issue in August 2003 on FullDisclosure
 Harald Geiger, AERAsec Network Services and Security GmbH
   for the idea of testing a bzip2 file containing other chars than 0x00 
 Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
   for testing bzip2 bombs on McAfee Virus Scan for Linux
 AMaViS team
   for sending note


History of the issue itself:
============================
early '90s: ARC/LZH/ZIP/RAR-Bombs were used in DoS of Fidonet systems
2002-01-01: Paul L. Daniels publishes first version of 'arbomb'
             (Archive "Bomb" detection utility)
2002-10-17: Paul L. Daniels publishes currently last available version of 'arbomb'
2003-08-29: Posting by Steve Wray on mailinglist FullDisclosure mentions a bzip2 bomb
             problem in general and provide an example
2003-09-01: Found that Kaspersky AntiVirus software version 4.5.0.0 is
             vulnerable against the posted bzip2 bomb (vendor notified)
             Also confirmed that 4.0.2.2 is NOT vulnerable
2003-09-29: Found that Kaspersky AntiVirus software version 5.0.0.0 is
             vulnerable against the posted bzip2 bomb (vendor notified)
2003-11-11: Kaspersky AV 5.0 now detects the posted bzip2 bomb 
2004-01-09: Analysed the posted bzip2 bomb and detected that the original
             uncompressed file is around 2 Gigabyte of zeros (0x00)
            Because of the reason, that Kaspersky AntiVirus software detected
             the bomb after a pattern update and not by adding smart 
             code in the decompression engine, a new created bzip2 bomb
             containing 2 Gigabyte of ASCII '1' (0x31) was tested.
            Found that Kaspersky AntiVirus software version 5.0.1.0 is
             vulnerable against the 2 GB x 0x31 bzip2 bomb (vendor notified)
             Also confirmed that 4.0.2.2 is NOT vulnerable against this new
              bzip2 bomb.
            Also found that Trend Micro InterScan VirusWall 3.8 build 1130
             is also vulnerable against both bzip2 bombs
            Also found that McAfee Virus Scan for Linux v4.16.0 is vulnerable
             against both bzip2 bombs
            Publishing of this advisory on FullDisclosure and BugTraq
2004-01-16: Further investigations show that Kaspersky 4.0.3.0 handles bzip2
             bombs different and do no longer detect them (like 4.0.2.2 before)
2004-01-20: Noted that some versions of AMaViS are also vulnerable


History of the advisory:
========================
2004-01-09: Initial release
2004-01-10: Cosmetic changes, add a note about the not well-designed
             permissions of the temporary file created by Trend Micro's "vscan"
2004-01-12: Add URL of 'arbomb' and FullDisclosure and BugTraq postings
             minor syntax review
2004-01-13: Add URL of Heise Newsticker posting
            Add URL and useful parameters of amavisd-new
2004-01-15: Add URL to Trend Micro knowledgebase entry regarding this issue
2004-01-16: Update information about Kaspersky because of investigations of
             version 4.0.3.0
            Extend history of issue
2004-01-20: Add URL to AMaViS advisory


Possible workaround:
====================
Usage of decompression engine of amavisd-new with the available limits in
amavisd-new would be help.

See following parameters for more:
$MAXLEVELS, $MAXFILES, $MIN_EXPANSION_QUOTA,
$MAX_EXPANSION_QUOTA, $MIN_EXPANSION_FACTOR, $MAX_EXPANSION_FACTOR


Solutions by vendors:
=====================
Trend Micro released new builds and some knowledge base entries:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=18198
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=18200
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=18219
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=14203 

AMaViS teamn released an advisory
http://www.amavis.org/security/asa-2004-1.txt


Evidence:
==========

Kaspersky Anti-Virus 4.0.2.2 (2GB x 0x31 bzip2 bomb):
-----------------------------------------------------

# /opt/AVP/kavscanner bzip2bomb-2G-0x31.bzip2

+-------------------------------------------------------+
|            Kaspersky Anti-Virus for Linux             |
|         Copyright(C) Kaspersky Lab. 1998-2002         |
|                     Version 4.0.2.2                   |
|                                                       |
+-------------------------------------------------------+
                   Registration info:
Key name      Ser. number            Price pos.             Exp. date  Trial
********.key  ********************   Kaspersky Anti-Vi...   *********  No
Antiviral databases have been loaded. Known records: 80430.

Current object: bzip2bomb-2G-0x31.bzip2
bzip2bomb-2G-0x31.bzip2 archive: BZIP2
bzip2bomb-2G-0x31.bzip2 BZIP2: unknown format.
bzip2bomb-2G-0x31.bzip2 suspicion: Mail Bomb
Scan process completed.



Kaspersky Anti-Virus 4.0.3.0 (10GB x 0x31 bzip2 bomb):
------------------------------------------------------
# /opt/AVP/kavscanner bomb-simple-char-0x31-10G.bin.bz2

+-------------------------------------------------------+
|            Kaspersky Anti-Virus for Linux             |
|         Copyright(C) Kaspersky Lab. 1998-2002         |
|                     Version 4.0.3.0                   |
|                                                       |
+-------------------------------------------------------+
                   Registration info:
Key name      Ser. number            Price pos.             Exp. date  Trial
********.key  ********************   Kaspersky Anti-Vi...   *********  No
Antiviral databases have been loaded. Known records: 80610.

Current object: bomb-simple-char-0x31-10G.bin.bz2
bomb-simple-char-0x31-10G.bin.bz2 archive: BZIP2
kavscanner closed on signal 2.
Killed



Kaspersky Anti-Virus 5.0.1.0 (2GB x 0x00 bzip2 bomb):
-----------------------------------------------------

# /opt/kav/bin/kavscanner bzip2bomb-2G-0x00.bzip2
Kaspersky Virus Scanner for linux. Version 5.0.1.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2003.
There are 80430 records loaded, the latest update 09-01-2004
Config file: /etc/kav/5.0/kav4unix.conf
/path/to/bzip2bomb-2G-0x00.bzip2 INFECTED Trojan.ArchiveBomb.BZip
/path/to/bzip2bomb-2G-0x00.bzip2 CUREFAILED Trojan.ArchiveBomb.BZip



Kaspersky Anti-Virus 5.0.1.0 (2GB x 0x31 bzip2 bomb):
-----------------------------------------------------

# /opt/kav/bin/kavscanner bzip2bomb-2G-0x31.bzip2
Kaspersky Virus Scanner for linux. Version 5.0.1.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2003.
There are 80430 records loaded, the latest update 09-01-2004
Config file: /etc/kav/5.0/kav4unix.conf
/path/to/bzip2bomb-2G-0x31.bzip2 -

...
(would fill up the file system, a 'kill -9' will stop the process only)

# ll /tmp/
total 988460
----------    1 root     root     1011187712 Jan  9 13:35 AVP151216b8b4567.tmp



Trend Micro InterScan VirusWall 3.8 Build 1130 (2GB x 0x00 bzip2 bomb):
-----------------------------------------------------------------------

# /opt/trend/ISBASE/IScan.BASE/vscan bzip2bomb-2G-0x00.bzip2
Virus Scanner v3.1, VSAPI v6.510-1002
Trend Micro Inc. 1996,1997
        Pattern version 718
        Pattern number 57791
        bzip2bomb-2G-0x00.bzip2


...
(would fill up the file system, a CTRL-C will stop the process)

# ll /tmp/
-rw-r--r--    1 root     root     1298325000 Jan  9 14:26 V80JJOjsyM2O

Note here also the interesting permissions of the temporary file: 644
 (not really well-designed, any local account can read content of decompressed
  file during decompression and scanning)


McAfee Virus Scan for Linux v4.16.0 (2GB x 0x00 bzip2 bomb):
------------------------------------------------------------

# /usr/local/bin/uvscan --version          
Virus Scan for Linux v4.16.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832  LICENSED COPY - Nov 13 2001

Scan engine v4.2.40 for Linux.
Virus data file v4100 created Jan 09 2004
Scanning for 87228 viruses, trojans and variants.

# /usr/local/bin/uvscan --verbose --secure bzip2bomb-2G-0x00.bzip2
Scanning /tmp/bzip2bomb-2G-0x00.bzip2
Scanning file /tmp/bzip2bomb-2G-0x00.bzip2
Killed

(had to kill -9 the process, since CTRL-C didn't work)



McAfee Virus Scan for Linux v4.16.0 (2GB x 0x31 bzip2 bomb):
------------------------------------------------------------

# /usr/local/bin/uvscan --verbose --secure bzip2bomb-2G-0x31.bzip2 
Scanning /tmp/bzip2bomb-2G-0x31.bzip2
Scanning file /tmp/bzip2bomb-2G-0x31.bzip2
Killed

(had to kill -9 the process, since CTRL-C didn't work)