Date: Tue, 6 Aug 2019 10:53:41 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: clamav: denial of service through "better zip bomb" Hi, Recently David Fifield presented a new variant of a ZIP bomb where by using overlapping segments he was able to achieve very high compression ratios (42kb->5GB, 10MB->281TB). Passing the example files to clamav causes extreme CPU spikes and extremely long scanning times. In a setup with clamd (a daemon-ized version of clamav) this is particularly nasty, as even interrupting the scanning process doesn't stop the CPU spikes in the daemon and the daemon cannot be killed gracefully. clamav is often used to automatically scan incoming mails on mailservers, in this case this is can be effective way to make a server unusable. The upstream bug report is here [2]. Clamav made a new release 0.101.3 [3] with a mitigation. However David Fifield commented in the bug report [4] that the fix is incomplete, by using some slight variations of his methods he could bypass the fix. Mitigation ========== This can be mitigated by disabling scanning of compressed archives. In the case of clamd there's a setting "ScanArchive" in clamd.conf [5]. Downside: Obviously that means compressed files won't be scanned. misc ==== Firefox sometimes showed Safebrowsing warnings for the "better zip bomb" web page by David Fifield. Not sure how it ended up in the safe browsing list, though I believe it's bad practice to mark legit security research as "malicious" by blacklists. A similar DoS is happening in Chrome when downloading the sample ZIP bombs. This has already been mentioned in public comments, e.g. here [6]. I had reported this to Chrome, it was marked as a duplicate of a non-public bug. It's likely that there are more applications affected. I recommend that people try to test other applications that might unpack ZIP files in an automated setting with these sample files. [1] https://www.bamsoftware.com/hacks/zipbomb/ [2] https://bugzilla.clamav.net/show_bug.cgi?id=12356 [3] https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html [4] https://bugzilla.clamav.net/show_bug.cgi?id=12356#c6 [5] https://linux.die.net/man/5/clamd.conf [6] https://news.ycombinator.com/item?id=20352537 -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.