Decompression bomb vulnerabilities

(P) & (C) 2004 AERAsec Network Services and Security GmbH
 The information in this advisory may be freely distributed or reproduced,
 provided that the advisory is not modified in any way.

Information

• simple bombs
• compressed binaries containing a huge number of the same char (binary value)
  
• complex MIME bombs
• a compressed mailbox containing one e-mail with MIME parts, the last MIME part contains a virus
• gzip'ed HTML bombs
• a gzip'ed HTML file, containing a huge amount of spare chars
• picture bombs
• a unicolor picture in GIF or PNG format with a very big width and height
  
• OpenOffice bombs
• OpenOffice data ZIP file containing an additional huge file
  

Bomb size ratios

Possible impacts

Contents

• Affected applications
  
• Anti-Virus Scanners
• Web_Browsers
• Other Applications
  
• History & Credits
  

Contributions

Anti-Virus Scanners

Notes

1. Stops scanning a 10 GByte gzip'ed gzip after 1.3 GB
2. Reports "GZIP: unknown format" (0x31-10G) or  "packed: MIME.Broken" (0x31-1G)
   
3. Process was terminated by kernel: "Out of Memory: Killed process"
4. Virus was not detected after 10 MB or more spare part size
5. Crashes with segmentation fault after both tmp-files reach size of approx. 2 GB
   
6. Time limit is reached during decompression without a proper report to the user
7. Temporary files in /tmp have permissions 644 (o+r), can be fixed by settting proper umask (077) before calling binary
   
8. Reports "I/O error" (100GB)
9. Exit code of vscan is 0 in case of reaching decompression size limit or archive beeing encrypted (e.g. ZIP password protection), only 1 in case a virus was found
10. Reports "...extract error (File size limit reached.)", but exit code is 0 (zero)
11. Reports "is corrupted." when scanning the 10 or 100 GB file
    
12. Running with "unset LANG" it reports "unexpected error" and terminates with exit code 2 ("If some error preventing further execution is discovered."), using additonal option -eec for extended error codes it reports 8 ("If survivable errors have occurred.")
    

Contributions by

1. Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
2. AMaVis team
   

Used command line switches

Web browsers

		Type of bomb
Vendor	Product, Version, OS	gzip'ed HTML	GIF	PNG	Information
Mozilla	Mozilla 1.4/Windows	vulnerable very busy during decompression eats all virtual memory	100M displayed	100M displayed, 1G not displayed, but no crash	Bugzilla#233262
Mozilla	Mozilla 1.5/Linux	still untested	still untested	vulnerable (a) crashes on 1G
Mozilla	Mozilla 1.6/Linux	vulnerable (c) process killed after reaching virtual memory limit (1G)	100M ok	vulnerable (c) process killed rather soon
Mozilla	Mozilla 1.6/Win32	safe (c) (2)	100M ok	strangeness (c) (3)
Opera	Opera 7.23 Build 3227/Windows	vulnerable killed after reaching limit of available virtual memory during decompression	100M ok	vulnerable crashes on 1G
Opera	Opera 7.23 Build 518 /Linux	still untested	100M ok	vulnerable crashes on 1G
Microsoft	Internet Explorer 6.0.2800.1106	restarting during decompression (100M)	safe, but 100M was not displayed	safe, error messages were displayed
Microsoft	Internet Explorer 5.00.3700.1000	rendering problems after reaching the virtual memory limit	safe, but 100M was not displayed	not supported
KDE	Konqueror 3.1.5/Linux	still untested	vulnerable (b) crashes on 100M (1)	still untested

Notes

1. Process was terminated by kernel: "Out of Memory: Killed process"
2. 99% CPU load and 1.5GB memory allocation
3. Recognices the picture size (scroll bars are shown), but no content is displayed
   

Contributions by

1. AMaVis team
2. Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
3. Martin Kirst, TU Chemitz
   

Additional comments

• Browsers in SmartPhones or PDAs:
• Currenty, we have no reports whether browsers in smartphones or PDAs are vulnerable, too. Since they generally do not have much physical memory, and data is probably compressed over the low bitrate connection, their vulnerability is to be expected.
  

Other applications

• picture bombs
• OpenOffice bombs

Notes

1. On Microsoft Windows, out-of-disc space occurs in user's TEMP folder (usually resides on C:) in case of the OpenOffice-Bomb
2. The Gimp sent X into an unusable state after running out of disk space, the machine had to be rebooted.
   

History & Credits

History of this page

• 2004-01-16: first version
• 2004-01-19: extend information
• 2004-01-20: add AMaViS information and result of further investigations
• 2004-01-21: result of further investigations
• 2004-01-27: review, minor adds of further investigations
• 2004-01-28: add an additional workaround
  
• 2004-02-03: finalizing before publishing
• 2004-02-04: minor fix
• 2004-02-09: add contributions for Mozilla, add hint for NAI uvscan
• 2004-02-10: add (same) result of new version of FRISK's f-prot

History of this issue itself

• early '90s: ARC/LZH/ZIP/RAR-Bombs were used in DoS of Fidonet systems
• 2002-01-01: Paul L. Daniels publishes first version of 'arbomb' (Archive "Bomb" detection utility)
• 2003-08-29: Posting by Steve Wray on mailinglist FullDisclosure mentions a bzip2 bomb
• 2003-09-01: AERAsec found that some antivirus software is vulnerable against the posted bzip2 bomb
• 2004-01-09: Publishing of the advisory bzip2bomb-antivirusengines
• 2004-01-15: Investigation of gzip'ed HTML and PNG/GIF bombs
  
• 2004-02-03: Publishing of this advisory

Author

• Dr. Peter Bieringer, AERAsec Network Services and Security GmbH

Credits

• Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
• Reporting some test results
• Harald Geiger, AERAsec Network Services and Security GmbH
• Reporting some test results
• AMaVis team
• Reporting test results
• Martin F. Krafft
• Review of this adivsory
• Martin Kirst, TU Chemitz
• Reporting test results