Re: [Full-Disclosure] BZIP2 bomb question

From: Gregh (chows_at_ozemail.com.au)
Date: 01/13/04

  • Next message: Lan Guy: "Re: [Full-Disclosure] Professional Groups"
    To: "Alex Shipp" <ashipp@messagelabs.com>, <full-disclosure@lists.netsys.com>
    Date: Tue, 13 Jan 2004 23:24:52 +1100
    
    

    ----- Original Message -----
    From: "Alex Shipp" <ashipp@messagelabs.com>
    To: <full-disclosure@lists.netsys.com>
    Sent: Tuesday, January 13, 2004 8:36 AM
    Subject: Re: [Full-Disclosure] BZIP2 bomb question

    > >----- Original Message -----
    > >From: "Gregh" <chows@ozemail.com.au>
    > >
    >
    > >Please note I am not a good programmer here but here goes:
    > >
    > >I am wondering why, for those who HAVE to auto unpack, a script cannot be
    > >written which, upon receipt of an archive of any sort, inspects it for,
    as
    > >an example, 100K of the same character repeated (keeping in mind that the
    > >NULL character, chr$(7) etc have all been used for compressed bombs) and
    if
    > >there *IS* such a file, move the file to some safe location for later
    > manual
    > >inspection and if not, allow automatic unpacking etc.
    >
    > Ignoring lots of technical details (!) this can indeed be done, and can be
    > used
    > along with lots of other heuristics to defend against compressed bombs.
    >
    > There are implementaions that already do this.
    >

    Then perhaps the people still falling foul of the bombs might be helped out
    by a few URLS here if you wouldn't mind? It just seemed a little strange to
    me that an archive cant be inspected before being operated on. Thanks for
    the answer!

    Greg.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Lan Guy: "Re: [Full-Disclosure] Professional Groups"