Aycan Irican(aycanmars.prosoft.com.tr)Sat, Jun 23, 2001 at 10:50:14AM +0300:
>
>
> On Thu, 21 Jun 2001, Robert Davidson Security wrote:
>
> > On Tue, Jun 19, 2001 at 08:53:54PM +0200, Michel Arboi wrote:
> > > --- Markus 'FvD' Weber <fvdira.uka.de> a écrit :
> > > > There is 42.zip out there, 42K total size, which consists of
> > > > nested zip's and at the end a 4GB file (IIRC 6 levels deep,
> > > > each level 17 'wide') ... kills most email virus checker.
> > >
> > > I did not know it existed. Altavista found this on
> > > http://www.hanau.net/fgk/downloads/42.zip
> > >
> > > Why is this kind of attack not more common? I suspect that most filters
> > > are vulnerable and yet, they are not listed as such (e.g. on
> > > securityfocus). And companies continue to use them.
> >
> > This used to be really common with BBS's back in their day. The idea
> > back then was to get a 1Gb file full of null charactors, compress it
> > and upload it to the BBS, that way when the BBS's virus scanner (which
> > also uncompressed the file) attempted to check the archive for viruses,
> > it would either 1) consume all disk space, 2) keep the system busy for
> > ages (some people ran 386's and 486's back then). The normal thing a
> > user would do is upload the file and then hang up, which also leaves
> > that dial-up line off-line while the virus scanner is checking the
> > contents of the archive.
> >
> > --
> > Regards,
> > Robert Davidson.
> >
>
> oh yes, the old days ...I used pcboard on my BBS and the pfed file
> integrity checker can run any batch job when a line starts with ''.
> It's an old vulnerability i know.
>
> Maybe we should put disk quota for the user that runs virus scannner
> thingy.
>

There's a thought.

Why not just use proc/mem limits to keep it from overrunning the box?
Sure, email delivery time goes to hell, but it could fork off other jobs,
do the massive compress thing slowly.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]