Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 6 Aug 2019 10:53:41 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: clamav: denial of service through "better zip bomb"

Hi,

Recently David Fifield presented a new variant of a ZIP bomb where by
using overlapping segments he was able to achieve very high compression
ratios (42kb->5GB, 10MB->281TB).

Passing the example files to clamav causes extreme CPU spikes and
extremely long scanning times. In a setup with clamd (a daemon-ized
version of clamav) this is particularly nasty, as even interrupting the
scanning process doesn't stop the CPU spikes in the daemon and the
daemon cannot be killed gracefully.

clamav is often used to automatically scan incoming mails on
mailservers, in this case this is can be effective way to make a server
unusable.

The upstream bug report is here [2]. Clamav made a new release 0.101.3
[3] with a mitigation.

However David Fifield commented in the bug report [4] that the fix is
incomplete, by using some slight variations of his methods he could
bypass the fix.

Mitigation
==========

This can be mitigated by disabling scanning of compressed archives. In
the case of clamd there's a setting "ScanArchive" in clamd.conf [5].

Downside: Obviously that means compressed files won't be scanned.

misc
====

Firefox sometimes showed Safebrowsing warnings for the "better zip
bomb" web page by David Fifield. Not sure how it ended up in the safe
browsing list, though I believe it's bad practice to mark legit
security research as "malicious" by blacklists.

A similar DoS is happening in Chrome when downloading the sample ZIP
bombs. This has already been mentioned in public comments, e.g. here
[6]. I had reported this to Chrome, it was marked as a duplicate of a
non-public bug.

It's likely that there are more applications affected.
I recommend that people try to test other applications that might
unpack ZIP files in an automated setting with these sample files.

[1] https://www.bamsoftware.com/hacks/zipbomb/
[2] https://bugzilla.clamav.net/show_bug.cgi?id=12356
[3]
https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html
[4] https://bugzilla.clamav.net/show_bug.cgi?id=12356#c6
[5] https://linux.die.net/man/5/clamd.conf
[6] https://news.ycombinator.com/item?id=20352537
-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.