Topic: decompression bomb vulnerabilities in antivirus engines, web browsers and several other applications ******** this is only an OVERVIEW advisory ************************************ See here for the full version (HTML only) containing much more information and a matrix with tests and results: http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html ******** this is only an overview advisory ************************************ (P) & (C) 2004-2008 AERAsec Network Services and Security GmbH The information in this advisory may be freely distributed or reproduced, provided that the advisory is not modified in any way. Main URLs: ========== http://www.aerasec.de/ http://www.aerasec.de/security/advisories/txt/decompressionbomb-overview.txt http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html http://www.aerasec.de/security/index.html?id=ae-200402-006 ftp://ftp.aerasec.de/pub/advisories/decompressionbombs/ Contact: ======== Via e-mail: info at aerasec dot de URLs for further information: ============================= (currently none) Affected versions: ================== Antivirus engines: ------------------ * kavscanner Kaspersky AntiVirus for Linux 5.0.1.0 (probably all versions since 4.0.3.0) * vscan [fix already available] Trend Micro InterScan VirusWall 3.8 Build 1130 * uvscan Network Associates McAfee Virus Scan for Linux v4.16.0 * AMaViS 0.2.x/0.3.x, amavisd below amavisd-new-20021116 * f-prot FRISK F-PROT AntiVirus for Linux 4.3.2 * bdc SOFTWIN bitdefender/Linux-Console v7.0 * sweep Sophos Sweep Version 3.77 Perhaps other versions and software from other vendors, too. Web browsers: ------------- * Mozilla 1.4/Windows, 1.5/Linux * Opera 7.23 Build 3227/Windows, 7.23 Build 518/Linux * Internet Explorer Microsoft IE 6.0.2800.1106 & 5.00.3700.1000 * KDE Konqueror 3.1.5/Linux Perhaps other versions and software from other vendors, too. Other applications: ------------------- * OpenOffice.org 1.1.0/Windows * The GIMP for Windows 1.2.4 & 2.0pre2, for Linux 1.2.5 Perhaps other versions and software from other vendors, too. Especially SOAP clients expecting gzip'ed XML would be candidates to check. Vulnerability: ============== The applications above are more general vulnerable to decompression bombs, either simple ones or more complex ones. It looks like that currently only a few applications are checking the maximum allowed size during decompression and report a proper error/warning message. Other generate impacts shown below: Impact: ======= We've created several special bombs and tested the impact - simple bombs * compressed binaries containing a huge amount of the same char (binary * value) - complex MIME bombs * a compressed mailbox containing one e-mail with MIME parts, the last MIME part contains a virus - gzip'ed HTML bombs * serving a gzip'ed HTML file, containing a huge amount of spare chars - picture bombs * very big in pixels unicolor picture in GIF or PNG format - OpenOffice bombs * OpenOffice data ZIP file containing an additional huge file While "simple bombs" and "comples MIME bombs" were test on several antivirus engines, "gzip'ed HTML bombs" and "picture bombs" were served by a web server. "OpenOffice bombs" were tested locally. This bombs can lead usually to one of the following impact: - No space on filesystem where temporary directory resides - Heavy usage of virtual memory - High CPU usage during decompression - Crash of application - System lock-down because of full filesystem - Unusable system because of high swapping activities Main author: ============ Dr. Peter Bieringer, AERAsec Network Services and Security GmbH Credits: ======== Steve Wray for bringing up the bzip2 bomb issue again in August 2003 on FullDisclosure Harald Geiger, AERAsec Network Services and Security GmbH for reporting test results Ralf Hildebrandt, Charite - Universitätsmedizin Berlin for reporting test results AMaViS team for reporting test results History of the issue itself: ============================ early '90s: ARC/LZH/ZIP/RAR-Bombs were used in DoS of Fidonet systems 2002-01-01: Paul L. Daniels publishes first version of 'arbomb' (Archive "Bomb" detection utility) 2002-10-17: Paul L. Daniels publishes currently last available version of 'arbomb' 2003-08-29: Posting by Steve Wray on mailinglist FullDisclosure mentions a bzip2 bomb problem in general and provide an example 2003-09-01: Found that some antivirus software is vulnerable against the posted bzip2 bomb 2004-01-09: Publishing of the advisory "bzip2bomb-antivirusengines" 2004-01-15: Investigation of gzip'ed HTML and PNG/GIF bombs 2004-02-03: Publishing of this advisory History of the advisory: ======================== 2004-01-20: Initial release 2004-02-03: Update for publishing