System: Several Anti-Virus Scanner Software, Web browsers, Applications, possibly other software classes
Topic: Possible Denial-of-Service caused by decompression bombs

URLs of this advisory:
http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html (HTML)
http://www.aerasec.de/security/advisories/txt/decompressionbomb-overview.txt (short overview in TXT)
See also: ae-200402-006
Decompression bomb vulnerability

Decompression bomb vulnerabilities

(P) & (C) 2004 AERAsec Network Services and Security GmbH
 The information in this advisory may be freely distributed or reproduced,
 provided that the advisory is not modified in any way.

Information

It looks like bzip2 bombs (see our advisory: bzip2bomb-antivirusengines) are not the only ones that can cause problems. We found that decompression bombs in general are causing problems. Compression is used in many applications, but only seldom maximum size limits are checked during decompression of untrusted content.

We've created several bombs now and tested not only the decompression unit of antivirus engines.
Examples are available here: ftp://ftp.aerasec.de/pub/advisories/decompressionbombs/
  • simple bombs
    • compressed binaries containing a huge number of the same char (binary value)
  • complex MIME bombs
    • a compressed mailbox containing one e-mail with MIME parts, the last MIME part contains a virus
  • gzip'ed HTML bombs
    • a gzip'ed HTML file, containing a huge amount of spare chars
  • picture bombs
    • a unicolor picture in GIF or PNG format with a very big width and height
  • OpenOffice bombs
    • OpenOffice data ZIP file containing an additional huge file

Bomb size ratios

Type
 Used compression
 Original size
 Compressed size Ratio
simple bomb
 gzip'ed gzip'ed gzip (3 stages)
 100 GigaByte
 5928 Bytes
 1.7e7:1
simple bomb gzip'ed gzip (2 stages) 100 GigaByte 233782 Bytes 427748:1
simple bomb gzip 100 GigaByte 97 MegaByte 1000:1
simple bomb bzip2'ed bzip2 100 GigaByte 220 Bytes 4.5e8:1
simple bomb bzip2
 100 GigaByte 69745 Bytes 1.6e6:1
PNG picture bomb
 deflate
 19000 x 19000, 1-bit (45 MB)
expand in 24-bit color to 1 GB
 44024 Bytes 1000:1
22e3:1
GIF picture bomb
 LZW
 6000 x 6000, 8-bit (288 MB)
expand in 24-bit color to 100MB		 25527 Bytes 1e4:1
OpenOffice bomb
 deflate
 100 GigaByte
 97 MegaByte
 1000:1

Possible impacts

During our investigations we found the following possible impacts:

Reason
 System behavior
 Impact
Application crashes because of out-of-memory Process usually terminated by kernel Denial-of-Service against application
Application consumes a lot of virtual memory High CPU load, high disk load during paging, no or slow reaction. (On Microsoft Windows systems also increasing of paging file can be triggered) Denial-of-Service against application, also against system because of heavy load
Application crashed because of out-of-disk space Normally after a crash the application doesn't remove the temporary file, system stays in out-of-disk-space state.
 Denial-of-Service against application, system itself and other applications

Contents

Contributions

We already received a number of contributions, but there remains a large number of existing applications to be tested.
Feel free to contribute anything that's missing. We can either add it anonymously or with attribution, however you prefer. You can reach us at info at aerasec dot de.

Anti-Virus Scanners

Unless stated otherwise, we define vulnerable to mean that the application may lead to an out-of-memory, out-of-diskspace, or CPU overload state during the dump decompression of untrusted content.
Type of bomb


 bzip2 gzip
Vendor
 Product, Version, OS simple
 complex
 simple
 complex
 Information
Trend Micro
 InterScan Viruswall for
- Linux 3.6 build 1160 and higher
- Solaris 3.6 build 1160 and higher
- Sendmail Switch 3.6 + Patch 2
- Linux 3.8
- Solaris 3.8
- Solaris - CSP 3.6
- AIX 3.6
- HP-UX 3.6
- NT 3.53
 vulnerable, but
fix available (7,9)
bomb detection by reaching limit
 vulnerable, but
fix available (7,9)
bomb detection by reaching limit 		vulnerable, but
fix available (7,9)
bomb detection by reaching limit		 vulnerable, but
fix available (7,9)
bomb detection by reaching limit		 Trend Micro KB #18198
Trend Micro KB #18200
Trend Micro KB #18219
Trend Micro KB #14203
Config parameters:
[Scan-Configuration]
extract_limit_size=
limit in vscan via command line option:
-E<size><unit>
Network Associates
 McAfee Virus Scan
 for Linux v4.1.60 or v4.2.40
 vulnerable (a,b) (11)
 strangeness (b) (11)
 strangeness (b) (6) strangeness (b) (6) For command line scanner use
--timeout <seconds> (documented since 4.3.20)
Kaspersky Labs Kaspersky AntiVirus
 for Linux 4.0.2.2		 bomb detection bomb detection bomb detection bomb detection
Kaspersky Labs Kaspersky AntiVirus
 for Linux 4.0.3.0		 vulnerable
not vulnerable
(8)
not vulnerable
(2)
not vulnerable
(2)
Kaspersky Labs
 Kaspersky AntiVirus
 for Linux 5.0.1.0 (probably all versions since 4.5)
 vulnerable
 vulnerable not vulnerable, but no warning (1)
 vulnerable
FRISK
 F-PROT AntiVirus
 for Linux 4.3.2 (Engine 3.14.7)
 for Linux 4.3.4 (Engine 3.14.8)		 no bzip2 support
no bzip2 support not vulnerable, but no warning
 vulnerable (3)
 Memory-only scanner
AMaViS amavis-0.2.x, amavis-0.3.x, amavisd (all versions) vulnerable vulnerable vulnerable vulnerable ASA-2004-1
(currently no solution!)
AMaViS
 amavisd-new bomb detection by reaching limit
 since version 20021116
 bomb detection by reaching limit
 since version 20021116
 bomb detection by reaching limit
 since version 20021116
 bomb detection by reaching limit
 since version 20021116
 ASA-2004-1
Config parameters:
$MAXLEVELS
$MAXFILES
$MIN_EXPANSION_QUOTA
$MAX_EXPANSION_QUOTA
$MIN_EXPANSION_FACTOR
$MAX_EXPANSION_FACTOR
AMaViS amavis-ng bomb detection by reaching limit bomb detection by reaching limit bomb detection by reaching limit bomb detection by reaching limit ASA-2004-1
Config parameters:
maxspace
SOFTWIN
 bitdefender/Linux-Console v7.0
 not vulnerable, but no warning not vulnerable,but see (4)
 not vulnerable, but no warning
 not vulnerable, but see (4)
Sophos
 Sweep Version 3.77, Januar 2004 [Linux/Intel]
 vulnerable (b) (5,12) vulnerable (b) (5)
 still untested not vulnerable, but no virus found
H+BEDV
Central Command
 AntiVir / Linux Version 2.0.9-6
Vexira
 not vulnerable by reaching limit (b) (7,10)
 still untested not vulnerable by reaching limit (b) (7,10) not vulnerable by reaching limit (b) (7,10) posting on postfix maillist regarding Vexira
Config parameters (AvMailGate)
MaxFilesizeInArchive

Notes

  1. Stops scanning a 10 GByte gzip'ed gzip after 1.3 GB
  2. Reports "GZIP: unknown format" (0x31-10G) or  "packed: MIME.Broken" (0x31-1G)
  3. Process was terminated by kernel: "Out of Memory: Killed process"
  4. Virus was not detected after 10 MB or more spare part size
  5. Crashes with segmentation fault after both tmp-files reach size of approx. 2 GB
  6. Time limit is reached during decompression without a proper report to the user
  7. Temporary files in /tmp have permissions 644 (o+r), can be fixed by settting proper umask (077) before calling binary
  8. Reports "I/O error" (100GB)
  9. Exit code of vscan is 0 in case of reaching decompression size limit or archive beeing encrypted (e.g. ZIP password protection), only 1 in case a virus was found
  10. Reports "...extract error (File size limit reached.)", but exit code is 0 (zero)
  11. Reports "is corrupted." when scanning the 10 or 100 GB file
  12. Running with "unset LANG" it reports "unexpected error" and terminates with exit code 2 ("If some error preventing further execution is discovered."), using additonal option -eec for extended error codes it reports 8 ("If survivable errors have occurred.")

Contributions by

  1. Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
  2. AMaVis team

Used command line switches

Vendor Product
 Executable
 Used options
FRISK F-PROT AntiVirus for Linux
 f-prot
 -archive -all -packed
SOFTWIN bitdefender for Linux
 bdc
 --arc --files --mail --all
Trend Micro InterScan Viruswall for Linux
 vscan
 -za -E1G
Network Associates
 McAfee Virus Scan for Linux uvscan
 --mailbox --mime --unzip
Sophos Sweep Version sweep
 -f -all -archive

Web browsers

HTML Decompression bombs can also be sent to web browser, should gzip transfer encoding be supported.
See here for some small examples: html-bomb/examples.

Unless stated otherwise, we define vulnerable to mean that the application may lead to an out-of-memory, out-of-diskspace, or CPU overload state during the dump decompression of untrusted content.
Type of bomb
Vendor
 Product, Version, OS gzip'ed HTML
 GIF
 PNG Information
Mozilla
 Mozilla
1.4/Windows
 vulnerable
very busy during decompression
eats all virtual memory
 100M displayed
 100M displayed,
1G not displayed, but no crash
 Bugzilla#233262
Mozilla Mozilla
1.5/Linux		 still untested still untested
vulnerable (a)
crashes on 1G

Mozilla Mozilla
1.6/Linux		 vulnerable (c)
process killed after reaching virtual memory limit (1G)		 100M ok
vulnerable (c)
process killed rather soon

Mozilla Mozilla
1.6/Win32		 safe (c) (2)

 100M ok
strangeness (c) (3)
Opera
 Opera
7.23 Build 3227/Windows
 vulnerable
killed after reaching limit of available virtual memory during decompression
 100M ok
 vulnerable
crashes on 1G
Opera
 Opera
7.23 Build 518 /Linux
 still untested 100M ok
 vulnerable
crashes on 1G
Microsoft
 Internet Explorer
6.0.2800.1106
 restarting during decompression (100M)
Microsoft Internet Explorer restart message during decompression of gzip'ed HTML
 safe, but
100M was not displayed
 safe,
error messages were displayed
Microsoft Internet Explorer
5.00.3700.1000
 rendering problems after
reaching the virtual memory limit
 safe, but
100M was not displayed		 not supported
KDE
 Konqueror
3.1.5/Linux
 still untested
vulnerable (b)
crashes on 100M (1)
still untested

Notes

  1. Process was terminated by kernel: "Out of Memory: Killed process"
  2. 99% CPU load and 1.5GB memory allocation
  3. Recognices the picture size (scroll bars are shown), but no content is displayed

Contributions by

  1. AMaVis team
  2. Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
  3. Martin Kirst, TU Chemitz

Additional comments

  • Browsers in SmartPhones or PDAs:
    • Currenty, we have no reports whether browsers in smartphones or PDAs are vulnerable, too. Since they generally do not have much physical memory, and data is probably compressed over the low bitrate connection, their vulnerability is to be expected.

Other applications

We currently haven't tested any other applications. Every application that uses compressed data is potentially vulnerable, unless it has a sane
maximum limit for decompression. Otherwise, working with content from untrusted sources can yield to denial-of-service.

Currently related available bombs:
We started here a collection:

Possible impact on bombs
Vendor
 Product, Version, OS Compression usage
 ZIP
 GZIP
 BZIP2
 GIF
 PNG Information
OpenOffice.org
 OpenOffice.org 1.1.0/Windows
 		Storage file is a ZIP, containing documents, styles, pictures...
 vulnerable (1)
 n.a. n.a. safe, but heavy load during decompression  (100M) save, but heavy load during decompression  (1G)
The GIMP
 The GIMP for Windows 1.2.4
 GIF and PNG related ones
 n.a. n.a. n.a. safe (100M)
 heavy load, causes an unknown software exception (screenshot)
The GIMP
 The GIMP for Linux 1.2.5
 GIF and PNG related ones
 n.a. n.a. n.a. safe (100M)
 heavy load, causes system overload (2)
The GIMP The GIMP for Windows 2.0-pre2 GIF and PNG related ones n.a. n.a. n.a. safe (100M)
 heavy load
Unknown Unknown SOAP client
 gzip'ed XML
 n.a.
 still untested
 n.a. n.a.
n.a.
 Results would be interesting...

Notes

  1. On Microsoft Windows, out-of-disc space occurs in user's TEMP folder (usually resides on C:) in case of the OpenOffice-Bomb
  2. The Gimp sent X into an unusable state after running out of disk space, the machine had to be rebooted.

History & Credits

History of this page

  • 2004-01-16: first version
  • 2004-01-19: extend information
  • 2004-01-20: add AMaViS information and result of further investigations
  • 2004-01-21: result of further investigations
  • 2004-01-27: review, minor adds of further investigations
  • 2004-01-28: add an additional workaround
  • 2004-02-03: finalizing before publishing
  • 2004-02-04: minor fix
  • 2004-02-09: add contributions for Mozilla, add hint for NAI uvscan
  • 2004-02-10: add (same) result of new version of FRISK's f-prot

History of this issue itself

  • early '90s: ARC/LZH/ZIP/RAR-Bombs were used in DoS of Fidonet systems
  • 2002-01-01: Paul L. Daniels publishes first version of 'arbomb' (Archive "Bomb" detection utility)
  • 2003-08-29: Posting by Steve Wray on mailinglist FullDisclosure mentions a bzip2 bomb
  • 2003-09-01: AERAsec found that some antivirus software is vulnerable against the posted bzip2 bomb
  • 2004-01-09: Publishing of the advisory bzip2bomb-antivirusengines
  • 2004-01-15: Investigation of gzip'ed HTML and PNG/GIF bombs
  • 2004-02-03: Publishing of this advisory

Author

  • Dr. Peter Bieringer, AERAsec Network Services and Security GmbH

Credits

  • Ralf Hildebrandt, Charite - Universitätsmedizin Berlin
    • Reporting some test results
  • Harald Geiger, AERAsec Network Services and Security GmbH
    • Reporting some test results
  • AMaVis team
    • Reporting test results
  • Martin F. Krafft
    • Review of this adivsory
  • Martin Kirst, TU Chemitz
    • Reporting test results