Topic: bzip2 bomb vulnerability of antivirus decompression engines (P) & (C) 2004-2008 AERAsec Network Services and Security GmbH The information in this advisory may be freely distributed or reproduced, provided that the advisory is not modified in any way. Main URLs: ========== http://www.aerasec.de/ http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines.txt http://www.aerasec.de/security/advisories/bzip2bomb-antivirusengines.html http://www.aerasec.de/security/index.html?id=ae-200401-020 bzip2 bomb examples (disarmed versions, see README how to arm): ftp://ftp.aerasec.de/pub/advisories/bzip2bomb/ http://msgs.securepoint.com/cgi-bin/get/bugtraq0401/70.html http://lists.netsys.com/pipermail/full-disclosure/2004-January/015420.html http://www.heise.de/newsticker/data/dab-13.01.04-000/ Contact: ======== Via e-mail: info at aerasec dot de URLs for further information: ============================= http://lists.netsys.com/pipermail/full-disclosure/2003-August/009255.html http://www.linux-community.de/Neues/story?storyid=11213&commentid=40051&order=location#40051 (in German) http://www.pldaniels.org/arbomb/ http://freshmeat.net/projects/arbomb/ http://www.ijs.si/software/amavisd/ Affected versions: ================== * kavscanner of Kaspersky AntiVirus for Linux 5.0.1.0 (probably all versions since 4.0.3.0) * vscan of Trend Micro InterScan VirusWall 3.8 Build 1130 (probably other versions, too) * uvscan of McAfee Virus Scan for Linux v4.16.0 (probably other versions, too) * AMaViS 0.2.x/0.3.x, amavisd below amavisd-new-20021116, amavis-ng Perhaps software from other vendors, too. Vulnerability: ============== The scanners mentioned above are still vulnerable to bzip2 bombs. Normally, every AntiVirus-Software is able to scan in archives for viruses. Therefore, they extract the archive before scanning by using a decompression engine (mostly built-in). Many of this decompression engines have a level limit, but very rare have a maximum size limit or smart code for an anomaly detection. Impact: ======= Because most decompression engines are storing the decompressed file on the local filesystem (mostly /tmp), this can lead to a denial of service (DoS): - No space on file system where /tmp resides, e.g. / filesystem (in case of /tmp isn't located on a dedicated partition) /var filesystem (in case of /tmp is soft linked to /var/tmp and /var is located on a dedicated partition - High CPU usage during decompression - No further scanning capabilities (because of full filesystem) - System lock down because of full filesystem Main author: ============ Dr. Peter Bieringer, AERAsec Network Services and Security GmbH Credits: ======== Steve Wray for bringing up this issue in August 2003 on FullDisclosure Harald Geiger, AERAsec Network Services and Security GmbH for the idea of testing a bzip2 file containing other chars than 0x00 Ralf Hildebrandt, Charite - Universitätsmedizin Berlin for testing bzip2 bombs on McAfee Virus Scan for Linux AMaViS team for sending note History of the issue itself: ============================ early '90s: ARC/LZH/ZIP/RAR-Bombs were used in DoS of Fidonet systems 2002-01-01: Paul L. Daniels publishes first version of 'arbomb' (Archive "Bomb" detection utility) 2002-10-17: Paul L. Daniels publishes currently last available version of 'arbomb' 2003-08-29: Posting by Steve Wray on mailinglist FullDisclosure mentions a bzip2 bomb problem in general and provide an example 2003-09-01: Found that Kaspersky AntiVirus software version 4.5.0.0 is vulnerable against the posted bzip2 bomb (vendor notified) Also confirmed that 4.0.2.2 is NOT vulnerable 2003-09-29: Found that Kaspersky AntiVirus software version 5.0.0.0 is vulnerable against the posted bzip2 bomb (vendor notified) 2003-11-11: Kaspersky AV 5.0 now detects the posted bzip2 bomb 2004-01-09: Analysed the posted bzip2 bomb and detected that the original uncompressed file is around 2 Gigabyte of zeros (0x00) Because of the reason, that Kaspersky AntiVirus software detected the bomb after a pattern update and not by adding smart code in the decompression engine, a new created bzip2 bomb containing 2 Gigabyte of ASCII '1' (0x31) was tested. Found that Kaspersky AntiVirus software version 5.0.1.0 is vulnerable against the 2 GB x 0x31 bzip2 bomb (vendor notified) Also confirmed that 4.0.2.2 is NOT vulnerable against this new bzip2 bomb. Also found that Trend Micro InterScan VirusWall 3.8 build 1130 is also vulnerable against both bzip2 bombs Also found that McAfee Virus Scan for Linux v4.16.0 is vulnerable against both bzip2 bombs Publishing of this advisory on FullDisclosure and BugTraq 2004-01-16: Further investigations show that Kaspersky 4.0.3.0 handles bzip2 bombs different and do no longer detect them (like 4.0.2.2 before) 2004-01-20: Noted that some versions of AMaViS are also vulnerable History of the advisory: ======================== 2004-01-09: Initial release 2004-01-10: Cosmetic changes, add a note about the not well-designed permissions of the temporary file created by Trend Micro's "vscan" 2004-01-12: Add URL of 'arbomb' and FullDisclosure and BugTraq postings minor syntax review 2004-01-13: Add URL of Heise Newsticker posting Add URL and useful parameters of amavisd-new 2004-01-15: Add URL to Trend Micro knowledgebase entry regarding this issue 2004-01-16: Update information about Kaspersky because of investigations of version 4.0.3.0 Extend history of issue 2004-01-20: Add URL to AMaViS advisory Possible workaround: ==================== Usage of decompression engine of amavisd-new with the available limits in amavisd-new would be help. See following parameters for more: $MAXLEVELS, $MAXFILES, $MIN_EXPANSION_QUOTA, $MAX_EXPANSION_QUOTA, $MIN_EXPANSION_FACTOR, $MAX_EXPANSION_FACTOR Solutions by vendors: ===================== Trend Micro released new builds and some knowledge base entries: http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=18198 http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=18200 http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=18219 http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=14203 AMaViS teamn released an advisory http://www.amavis.org/security/asa-2004-1.txt Evidence: ========== Kaspersky Anti-Virus 4.0.2.2 (2GB x 0x31 bzip2 bomb): ----------------------------------------------------- # /opt/AVP/kavscanner bzip2bomb-2G-0x31.bzip2 +-------------------------------------------------------+ | Kaspersky Anti-Virus for Linux | | Copyright(C) Kaspersky Lab. 1998-2002 | | Version 4.0.2.2 | | | +-------------------------------------------------------+ Registration info: Key name Ser. number Price pos. Exp. date Trial ********.key ******************** Kaspersky Anti-Vi... ********* No Antiviral databases have been loaded. Known records: 80430. Current object: bzip2bomb-2G-0x31.bzip2 bzip2bomb-2G-0x31.bzip2 archive: BZIP2 bzip2bomb-2G-0x31.bzip2 BZIP2: unknown format. bzip2bomb-2G-0x31.bzip2 suspicion: Mail Bomb Scan process completed. Kaspersky Anti-Virus 4.0.3.0 (10GB x 0x31 bzip2 bomb): ------------------------------------------------------ # /opt/AVP/kavscanner bomb-simple-char-0x31-10G.bin.bz2 +-------------------------------------------------------+ | Kaspersky Anti-Virus for Linux | | Copyright(C) Kaspersky Lab. 1998-2002 | | Version 4.0.3.0 | | | +-------------------------------------------------------+ Registration info: Key name Ser. number Price pos. Exp. date Trial ********.key ******************** Kaspersky Anti-Vi... ********* No Antiviral databases have been loaded. Known records: 80610. Current object: bomb-simple-char-0x31-10G.bin.bz2 bomb-simple-char-0x31-10G.bin.bz2 archive: BZIP2 kavscanner closed on signal 2. Killed Kaspersky Anti-Virus 5.0.1.0 (2GB x 0x00 bzip2 bomb): ----------------------------------------------------- # /opt/kav/bin/kavscanner bzip2bomb-2G-0x00.bzip2 Kaspersky Virus Scanner for linux. Version 5.0.1.0/RELEASE Copyright (C) Kaspersky Lab. 1998-2003. There are 80430 records loaded, the latest update 09-01-2004 Config file: /etc/kav/5.0/kav4unix.conf /path/to/bzip2bomb-2G-0x00.bzip2 INFECTED Trojan.ArchiveBomb.BZip /path/to/bzip2bomb-2G-0x00.bzip2 CUREFAILED Trojan.ArchiveBomb.BZip Kaspersky Anti-Virus 5.0.1.0 (2GB x 0x31 bzip2 bomb): ----------------------------------------------------- # /opt/kav/bin/kavscanner bzip2bomb-2G-0x31.bzip2 Kaspersky Virus Scanner for linux. Version 5.0.1.0/RELEASE Copyright (C) Kaspersky Lab. 1998-2003. There are 80430 records loaded, the latest update 09-01-2004 Config file: /etc/kav/5.0/kav4unix.conf /path/to/bzip2bomb-2G-0x31.bzip2 - ... (would fill up the file system, a 'kill -9' will stop the process only) # ll /tmp/ total 988460 ---------- 1 root root 1011187712 Jan 9 13:35 AVP151216b8b4567.tmp Trend Micro InterScan VirusWall 3.8 Build 1130 (2GB x 0x00 bzip2 bomb): ----------------------------------------------------------------------- # /opt/trend/ISBASE/IScan.BASE/vscan bzip2bomb-2G-0x00.bzip2 Virus Scanner v3.1, VSAPI v6.510-1002 Trend Micro Inc. 1996,1997 Pattern version 718 Pattern number 57791 bzip2bomb-2G-0x00.bzip2 ... (would fill up the file system, a CTRL-C will stop the process) # ll /tmp/ -rw-r--r-- 1 root root 1298325000 Jan 9 14:26 V80JJOjsyM2O Note here also the interesting permissions of the temporary file: 644 (not really well-designed, any local account can read content of decompressed file during decompression and scanning) McAfee Virus Scan for Linux v4.16.0 (2GB x 0x00 bzip2 bomb): ------------------------------------------------------------ # /usr/local/bin/uvscan --version Virus Scan for Linux v4.16.0 Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Nov 13 2001 Scan engine v4.2.40 for Linux. Virus data file v4100 created Jan 09 2004 Scanning for 87228 viruses, trojans and variants. # /usr/local/bin/uvscan --verbose --secure bzip2bomb-2G-0x00.bzip2 Scanning /tmp/bzip2bomb-2G-0x00.bzip2 Scanning file /tmp/bzip2bomb-2G-0x00.bzip2 Killed (had to kill -9 the process, since CTRL-C didn't work) McAfee Virus Scan for Linux v4.16.0 (2GB x 0x31 bzip2 bomb): ------------------------------------------------------------ # /usr/local/bin/uvscan --verbose --secure bzip2bomb-2G-0x31.bzip2 Scanning /tmp/bzip2bomb-2G-0x31.bzip2 Scanning file /tmp/bzip2bomb-2G-0x31.bzip2 Killed (had to kill -9 the process, since CTRL-C didn't work)