[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] BZIP2 bomb question

To: <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] BZIP2 bomb question
From: "Alexander Veit" <list@nezwerg.de>
Date: Mon, 12 Jan 2004 23:15:53 +0100

Hi Greg,

> [...]
> I am wondering why, for those who HAVE to auto unpack, a 
> script cannot be written which, upon receipt of an
> archive of any sort, inspects it for, as an example,
> 100K of the same character repeated (keeping in mind
> that the NULL character, chr$(7) etc have all been used
> for compressed bombs) and if there *IS* such a file,
> move the file to some safe location for later manual
> inspection and if not, allow automatic unpacking etc.
> [...]

A safe detection of a such bombs by inspecting the stream of uncompressed
data seems impractical, since repeating patterns may consist of more than
one byte.

A better criterion may be the ratio of the size of currently uncompressed
data and the total archive size. This number should not exceed a reasonable
value.

-- 
Regards,
Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] BZIP2 bomb question
  - From: "Gregh" <chows@ozemail.com.au>

Prev by Date: Re: [Full-Disclosure] Re: [Fwd: [TH-research] OT: Israeli Post Office break-in] false weather reports
Next by Date: [Full-Disclosure] PHP Functions Security Audit?
Previous by thread: [Full-Disclosure] BZIP2 bomb question
Next by thread: Re: [Full-Disclosure] BZIP2 bomb question
Index(es):
- Date
- Thread