Network Security

AERAsec
Network Security
Eigene Advisories


System: Several Anti-Virus Scanner Software, Web browsers, Applications, possibly other software classes
Topic: Possible Denial-of-Service caused by decompression bombs

URLs of this advisory:
http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html (HTML)
http://www.aerasec.de/security/advisories/txt/decompressionbomb-overview.txt (short overview in TXT)
See also: ae-200402-006
Decompression bomb vulnerability

Decompression bomb vulnerabilities

(P) & (C) 2004-2009, AERAsec Network Services and Security GmbH
 The information in this advisory may be freely distributed or reproduced,
provided that the advisory is not modified in any way.

Information

It looks like bzip2 bombs (see our advisory: bzip2bomb-antivirusengines) are not the only ones that can cause problems. We found that decompression bombs in general are causing problems. Compression is used in many applications, but only seldom maximum size limits are checked during decompression of untrusted content.

We've created several bombs now and tested not only the decompression unit of antivirus engines.
Examples are available here: ftp://ftp.aerasec.de/pub/advisories/decompressionbombs/
  • simple bombs
    • compressed binaries containing a huge number of the same char (binary value)
  • complex MIME bombs
    • a compressed mailbox containing one e-mail with MIME parts, the last MIME part contains a virus
  • gzip'ed HTML bombs
    • a gzip'ed HTML file, containing a huge amount of spare chars
  • picture bombs
    • a unicolor picture in GIF or PNG format with a very big width and height
  • OpenOffice bombs
    • OpenOffice data ZIP file containing an additional huge file

Bomb size ratios

Type
Used compression
Original size
Compressed size Ratio
simple bomb
gzip'ed gzip'ed gzip (3 stages)
100 GigaByte
5928 Bytes
1.7e7:1
simple bomb gzip'ed gzip (2 stages) 100 GigaByte 233782 Bytes 427748:1
simple bomb gzip 100 GigaByte 97 MegaByte 1000:1
simple bomb bzip2'ed bzip2 100 GigaByte 220 Bytes 4.5e8:1
simple bomb bzip2
100 GigaByte 69745 Bytes 1.6e6:1
PNG picture bomb
deflate
19000 x 19000, 1-bit (45 MB)
expand in 24-bit color to 1 GB
44024 Bytes 1000:1
22e3:1
GIF picture bomb
LZW
6000 x 6000, 8-bit (288 MB)
expand in 24-bit color to 100MB
25527 Bytes 1e4:1
OpenOffice bomb
deflate
100 GigaByte
97 MegaByte
1000:1

Possible impacts

During our investigations we found the following possible impacts:

Reason
System behavior
Impact
Application crashes because of out-of-memory Process usually terminated by kernel Denial-of-Service against application
Application consumes a lot of virtual memory High CPU load, high disk load during paging, no or slow reaction. (On Microsoft Windows systems also increasing of paging file can be triggered) Denial-of-Service against application, also against system because of heavy load
Application crashed because of out-of-disk space Normally after a crash the application doesn't remove the temporary file, system stays in out-of-disk-space state.
Denial-of-Service against application, system itself and other applications

Contents

Contributions

We already received a number of contributions, but there remains a large number of existing applications to be tested.
Feel free to contribute anything that's missing. We can either add it anonymously or with attribution, however you prefer. You can reach us at info at aerasec dot de.

Anti-Virus Scanners

Unless stated otherwise, we define vulnerable to mean that the application may lead to an out-of-memory, out-of-diskspace, or CPU overload state during the dump decompression of untrusted content.



Type of bomb



 bzip2 gzip

Vendor
Product, Version, OS simple
complex
simple
complex
Information
Trend Micro
InterScan Viruswall for
- Linux 3.6 build 1160 and higher
- Solaris 3.6 build 1160 and higher
- Sendmail Switch 3.6 + Patch 2
- Linux 3.8
- Solaris 3.8
- Solaris - CSP 3.6
- AIX 3.6
- HP-UX 3.6
- NT 3.53
vulnerable, but
fix available (7,9)
bomb detection by reaching limit
vulnerable, but
fix available (7,9)
bomb detection by reaching limit
vulnerable, but
fix available (7,9)
bomb detection by reaching limit
vulnerable, but
fix available (7,9)
bomb detection by reaching limit
Trend Micro KB #18198
Trend Micro KB #18200
Trend Micro KB #18219
Trend Micro KB #14203
Config parameters:
[Scan-Configuration]
extract_limit_size=
limit in vscan via command line option:
-E<size><unit>
Network Associates
McAfee Virus Scan
 for Linux v4.1.60 or v4.2.40
vulnerable (a,b) (11)
strangeness (b) (11)
strangeness (b) (6) strangeness (b) (6) For command line scanner use
--timeout <seconds> (documented since 4.3.20)

Kaspersky Labs Kaspersky AntiVirus
 for Linux 4.0.2.2
bomb detection bomb detection bomb detection bomb detection
Kaspersky Labs Kaspersky AntiVirus
 for Linux 4.0.3.0
vulnerable
not vulnerable
(8)
not vulnerable
(2)
not vulnerable
(2)

Kaspersky Labs
Kaspersky AntiVirus
 for Linux 5.0.1.0 (probably all versions since 4.5)
vulnerable
vulnerable not vulnerable, but no warning (1)
vulnerable
FRISK
F-PROT AntiVirus
 for Linux 4.3.2 (Engine 3.14.7)
 for Linux 4.3.4 (Engine 3.14.8)
no bzip2 support
no bzip2 support not vulnerable, but no warning
vulnerable (3)
Memory-only scanner
AMaViS amavis-0.2.x, amavis-0.3.x, amavisd (all versions) vulnerable vulnerable vulnerable vulnerable ASA-2004-1
(currently no solution!)
AMaViS
amavisd-new bomb detection by reaching limit
since version 20021116
bomb detection by reaching limit
since version 20021116
bomb detection by reaching limit
since version 20021116
bomb detection by reaching limit
since version 20021116
ASA-2004-1
Config parameters:
$MAXLEVELS
$MAXFILES
$MIN_EXPANSION_QUOTA
$MAX_EXPANSION_QUOTA
$MIN_EXPANSION_FACTOR
$MAX_EXPANSION_FACTOR

AMaViS amavis-ng bomb detection by reaching limit bomb detection by reaching limit bomb detection by reaching limit bomb detection by reaching limit ASA-2004-1
Config parameters:
maxspace

SOFTWIN
bitdefender/Linux-Console v7.0
not vulnerable, but no warning not vulnerable,but see (4)
not vulnerable, but no warning
not vulnerable, but see (4)

Sophos
Sweep Version 3.77, Januar 2004 [Linux/Intel]
vulnerable (b) (5,12) vulnerable (b) (5)
still untested not vulnerable, but no virus found
H+BEDV
Central Command
AntiVir / Linux Version 2.0.9-6
Vexira
not vulnerable by reaching limit (b) (7,10)
still untested not vulnerable by reaching limit (b) (7,10) not vulnerable by reaching limit (b) (7,10) posting on postfix maillist regarding Vexira
Config parameters (AvMailGate)
MaxFilesizeInArchive

Notes

  1. Stops scanning a 10 GByte gzip'ed gzip after 1.3 GB
  2. Reports "GZIP: unknown format" (0x31-10G) or  "packed: MIME.Broken" (0x31-1G)
  3. Process was terminated by kernel: "Out of Memory: Killed process"
  4. Virus was not detected after 10 MB or more spare part size
  5. Crashes with segmentation fault after both tmp-files reach size of approx. 2 GB
  6. Time limit is reached during decompression without a proper report to the user
  7. Temporary files in /tmp have permissions 644 (o+r), can be fixed by settting proper umask (077) before calling binary
  8. Reports "I/O error" (100GB)
  9. Exit code of vscan is 0 in case of reaching decompression size limit or archive beeing encrypted (e.g. ZIP password protection), only 1 in case a virus was found
  10. Reports "...extract error (File size limit reached.)", but exit code is 0 (zero)
  11. Reports "is corrupted." when scanning the 10 or 100 GB file
  12. Running with "unset LANG" it reports "unexpected error" and terminates with exit code 2 ("If some error preventing further execution is discovered."), using additonal option -eec for extended error codes it reports 8 ("If survivable errors have occurred.")

Contributions by

  1. Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
  2. AMaVis team

Used command line switches

Vendor Product
Executable
Used options
FRISK F-PROT AntiVirus for Linux
f-prot
-archive -all -packed
SOFTWIN bitdefender for Linux
bdc
--arc --files --mail --all
Trend Micro InterScan Viruswall for Linux
vscan
-za -E1G
Network Associates
McAfee Virus Scan for Linux uvscan
--mailbox --mime --unzip
Sophos Sweep Version sweep
-f -all -archive


Web browsers

HTML Decompression bombs can also be sent to web browser, should gzip transfer encoding be supported.
See here for some small examples: html-bomb/examples.

Unless stated otherwise, we define vulnerable to mean that the application may lead to an out-of-memory, out-of-diskspace, or CPU overload state during the dump decompression of untrusted content.



Type of bomb

Vendor
Product, Version, OS gzip'ed HTML
GIF
PNG Information
Mozilla
Mozilla
1.4/Windows
vulnerable
very busy during decompression
eats all virtual memory
100M displayed
100M displayed,
1G not displayed, but no crash
Bugzilla#233262
Mozilla Mozilla
1.5/Linux
still untested still untested
vulnerable (a)
crashes on 1G

Mozilla Mozilla
1.6/Linux
vulnerable (c)
process killed after reaching virtual memory limit (1G)
100M ok
vulnerable (c)
process killed rather soon

Mozilla Mozilla
1.6/Win32
safe (c) (2)

100M ok
strangeness (c) (3)

Opera
Opera
7.23 Build 3227/Windows
vulnerable
killed after reaching limit of available virtual memory during decompression
100M ok
vulnerable
crashes on 1G

Opera
Opera
7.23 Build 518 /Linux
still untested 100M ok
vulnerable
crashes on 1G

Microsoft
Internet Explorer
6.0.2800.1106
restarting during decompression (100M)
Microsoft Internet Explorer restart message during decompression of gzip'ed HTML
safe, but
100M was not displayed
safe,
error messages were displayed


Microsoft Internet Explorer
5.00.3700.1000
rendering problems after
reaching the virtual memory limit
safe, but
100M was not displayed
not supported
KDE
Konqueror
3.1.5/Linux
still untested
vulnerable (b)
crashes on 100M (1)

still untested


Notes

  1. Process was terminated by kernel: "Out of Memory: Killed process"
  2. 99% CPU load and 1.5GB memory allocation
  3. Recognices the picture size (scroll bars are shown), but no content is displayed

Contributions by

  1. AMaVis team
  2. Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
  3. Martin Kirst, TU Chemitz

Additional comments

  • Browsers in SmartPhones or PDAs:
    • Currenty, we have no reports whether browsers in smartphones or PDAs are vulnerable, too. Since they generally do not have much physical memory, and data is probably compressed over the low bitrate connection, their vulnerability is to be expected.

Other applications

We currently haven't tested any other applications. Every application that uses compressed data is potentially vulnerable, unless it has a sane
maximum limit for decompression. Otherwise, working with content from untrusted sources can yield to denial-of-service.

Currently related available bombs:
We started here a collection:




Possible impact on bombs

Vendor
Product, Version, OS Compression usage
ZIP
GZIP
BZIP2
GIF
PNG Information
OpenOffice.org
OpenOffice.org 1.1.0/Windows
Storage file is a ZIP, containing documents, styles, pictures...
vulnerable (1)
n.a. n.a. safe, but heavy load during decompression  (100M) save, but heavy load during decompression  (1G)

The GIMP
The GIMP for Windows 1.2.4
GIF and PNG related ones
n.a. n.a. n.a. safe (100M)
heavy load, causes an unknown software exception (screenshot)

The GIMP
The GIMP for Linux 1.2.5
GIF and PNG related ones
n.a. n.a. n.a. safe (100M)
heavy load, causes system overload (2)

The GIMP The GIMP for Windows 2.0-pre2 GIF and PNG related ones n.a. n.a. n.a. safe (100M)
heavy load

Unknown Unknown SOAP client
gzip'ed XML
n.a.
still untested
n.a. n.a.
n.a.
Results would be interesting...

Notes

  1. On Microsoft Windows, out-of-disc space occurs in user's TEMP folder (usually resides on C:) in case of the OpenOffice-Bomb
  2. The Gimp sent X into an unusable state after running out of disk space, the machine had to be rebooted.

History & Credits

History of this page

  • 2004-01-16: first version
  • 2004-01-19: extend information
  • 2004-01-20: add AMaViS information and result of further investigations
  • 2004-01-21: result of further investigations
  • 2004-01-27: review, minor adds of further investigations
  • 2004-01-28: add an additional workaround
  • 2004-02-03: finalizing before publishing
  • 2004-02-04: minor fix
  • 2004-02-09: add contributions for Mozilla, add hint for NAI uvscan
  • 2004-02-10: add (same) result of new version of FRISK's f-prot
  • 2004-07-12: add URL to similar issue of WinRAR in history

History of this issue itself

  • early '90s: ARC/LZH/ZIP/RAR-Bombs were used in DoS of Fidonet systems
  • 2002-01-01: Paul L. Daniels publishes first version of 'arbomb' (Archive "Bomb" detection utility)
  • 2003-08-29: Posting by Steve Wray on mailinglist FullDisclosure mentions a bzip2 bomb
  • 2003-09-01: AERAsec found that some antivirus software is vulnerable against the posted bzip2 bomb
  • 2003-09-09: Bipin Gautam found similar problem in WinRAR and others (SecurityFocus#8572, BugTraq e-mail, Bipin Gautam's advisories)
  • 2004-01-09: Publishing of the advisory bzip2bomb-antivirusengines
  • 2004-01-15: Investigation of gzip'ed HTML and PNG/GIF bombs
  • 2004-02-03: Publishing of this advisory

Author

  • Dr. Peter Bieringer, AERAsec Network Services and Security GmbH

Credits

  • Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
    • Reporting some test results
  • Harald Geiger, AERAsec Network Services and Security GmbH
    • Reporting some test results
  • AMaVis team
    • Reporting test results
  • Martin F. Krafft
    • Review of this adivsory
  • Martin Kirst, TU Chemitz
    • Reporting test results