[Fwd: Anti Virus Mailscanners DOS]

Julian Field jkf at ecs.soton.ac.uk
Tue Feb 26 09:02:55 GMT 2002

At 08:48 26/02/2002, you wrote:
>Does MailScanner check for this DOS ?

Yes, it will handle this (I've tried it a long time ago). The process of
expanding (and scanning) the compressed archive will take a very long time
in an attempt to stop the virus scanning returning to its calling program.
This will trigger the timeout code in MailScanner, causing it to abort the
scan. This is precisely the reason that MailScanner has timeout code, just
to cope with DoS attacks like this.

I've got a copy of the "Zip of Death", which expands from 42,374 bytes to
49,000 Tbytes. MailScanner handles this fine.

>Received: (from root at localhost)
>         by albert.unito.it (8.12.1/8.12.1) id g1Q15IYh024136
>         for rabser at di.unito.it; Tue, 26 Feb 2002 02:05:18 +0100
>Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com
>         by albert.unito.it (8.12.1/8.12.1) with ESMTP id g1Q15DFd024096
>         for <rabser at di.unito.it>; Tue, 26 Feb 2002 02:05:15 +0100
>Received: from lists.securityfocus.com (lists.securityfocus.com
>         by outgoing.securityfocus.com (Postfix) with QMQP
>         id 985A6A3199; Mon, 25 Feb 2002 14:03:02 -0700 (MST)
>Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq at securityfocus.com>
>List-Help: <mailto:bugtraq-help at securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
>Delivered-To: moderator for bugtraq at securityfocus.com
>Received: (qmail 14229 invoked from network); 25 Feb 2002 19:29:06 -0000
>Date: Mon, 25 Feb 2002 16:29:02 -0300
>From: "Eduardo R. Maciel" <maciel at inetd.com.br>
>To: bugtraq at securityfocus.com
>Cc: vuldb at securityfocus.com,
>    Renato LinuxSecurity <renato at linuxsecurity.com.br>
>Subject: Anti Virus Mailscanners DOS
>Message-Id: <20020225162902.2279bf0d.maciel at inetd.com.br>
>Organization: iNetd Security
>X-Mailer: Sylpheed version 0.7.0 (GTK+ 1.2.10; i586-pc-linux-gnu)
>Mime-Version: 1.0
>X-scanner: scanned by Inflex 1.0.9
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>X-AntiVirus: Scanned for viruses by VirusFinder @2001-tecnici at di.unito.it
>- Email Clean
>X-Mozilla-Status2: 00000000
>iNetd Security Research Annoucement
>Name: Anti Virus Mailscanners DOS
>Systems Affected: System independant
>Date: 25/02/2002
>Subject: Potential DOS.
>Severity: HIGH
>Author: Eduardo R. Maciel (maciel at inetd.com.br)
>An antivirus mailscanner should check the filesizes inside a compressed
>file like .tar.gz, .zip, .bz2, etc, BEFORE open the file for scanning.
>All the products that doesn't do that checking are vulnerable to a Denial
>Of Service attack.
>Pay attention to the procedure below:
>root at maciel:/tmp# dd if=/dev/zero of=/tmp/file count=200000
>root at maciel:/tmp# ls -l /tmp/file
>-rw-r--r--      1 root  root    102400000 Feb 24 22:13 file
>root at maciel:/tmp# bzip2 -z file
>root at maciel:/tmp# ls -l /tmp/file.bz2
>rw-r--r--       1 root  root    113 Feb 24 22:14 file
>Since the file has only null (numerical zeros, not the ASCII kind)
>characters, the size of the compressed file was reduced to a almost
>insignificant value.
>Sending several mails with these compressed files may let a machine out of
>memory or disk space.
>         The mailscanner should check the filesizes inside a compressed file.
>         Eduardo R. Maciel
>         maciel at inetd.com.br

Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list