Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20190806105341.71a55acf@computer>
Date: Tue, 6 Aug 2019 10:53:41 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: clamav: denial of service through "better zip bomb"

Hi,

Recently David Fifield presented a new variant of a ZIP bomb where by
using overlapping segments he was able to achieve very high compression
ratios (42kb->5GB, 10MB->281TB).

Passing the example files to clamav causes extreme CPU spikes and
extremely long scanning times. In a setup with clamd (a daemon-ized
version of clamav) this is particularly nasty, as even interrupting the
scanning process doesn't stop the CPU spikes in the daemon and the
daemon cannot be killed gracefully.

clamav is often used to automatically scan incoming mails on
mailservers, in this case this is can be effective way to make a server
unusable.

The upstream bug report is here [2]. Clamav made a new release 0.101.3
[3] with a mitigation.

However David Fifield commented in the bug report [4] that the fix is
incomplete, by using some slight variations of his methods he could
bypass the fix.

Mitigation
==========

This can be mitigated by disabling scanning of compressed archives. In
the case of clamd there's a setting "ScanArchive" in clamd.conf [5].

Downside: Obviously that means compressed files won't be scanned.

misc
====

Firefox sometimes showed Safebrowsing warnings for the "better zip
bomb" web page by David Fifield. Not sure how it ended up in the safe
browsing list, though I believe it's bad practice to mark legit
security research as "malicious" by blacklists.

A similar DoS is happening in Chrome when downloading the sample ZIP
bombs. This has already been mentioned in public comments, e.g. here
[6]. I had reported this to Chrome, it was marked as a duplicate of a
non-public bug.

It's likely that there are more applications affected.
I recommend that people try to test other applications that might
unpack ZIP files in an automated setting with these sample files.

[1] https://www.bamsoftware.com/hacks/zipbomb/
[2] https://bugzilla.clamav.net/show_bug.cgi?id=12356
[3]
https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html
[4] https://bugzilla.clamav.net/show_bug.cgi?id=12356#c6
[5] https://linux.die.net/man/5/clamd.conf
[6] https://news.ycombinator.com/item?id=20352537
-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.