Re: [Full-Disclosure] BZIP2 bomb question

From: Alex Shipp (ashipp_at_messagelabs.com)
Date: 01/12/04

  • Next message: Aleksander P. Czarnowski: "RE: [Full-Disclosure] auditing / logging while performing pen test"
    To: <full-disclosure@lists.netsys.com>
    Date: Mon, 12 Jan 2004 21:36:54 -0000
    
    

    >----- Original Message -----
    >From: "Gregh" <chows@ozemail.com.au>
    >

    >Please note I am not a good programmer here but here goes:
    >
    >I am wondering why, for those who HAVE to auto unpack, a script cannot be
    >written which, upon receipt of an archive of any sort, inspects it for, as
    >an example, 100K of the same character repeated (keeping in mind that the
    >NULL character, chr$(7) etc have all been used for compressed bombs) and if
    >there *IS* such a file, move the file to some safe location for later
    manual
    >inspection and if not, allow automatic unpacking etc.

    Ignoring lots of technical details (!) this can indeed be done, and can be
    used
    along with lots of other heuristics to defend against compressed bombs.

    There are implementaions that already do this.

    Regards,

    Alex

    ________________________________________________________________________
    This email has been scanned for all viruses by the MessageLabs Email
    Security System. For more information on a proactive email security
    service working around the clock, around the globe, visit
    http://www.messagelabs.com
    ________________________________________________________________________

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Aleksander P. Czarnowski: "RE: [Full-Disclosure] auditing / logging while performing pen test"