Multiple Antivirus DoS During Processing of Malformed Compressed Archives

While scanning compressed files, several Antivirus, Trojan and Spyware scanners might suffer from a denial of service condition while attempting to extract an archive that contains intentionally malformed content in it.

Details Vulnerable Systems:
* Norton Antivirus 2002
* Norton Antivirus 2003
* McAfee VirusScan 6
* Network Associates (McAfee) VirusScan Enterprise 7.1
* Windows XP default ZIP manager (report's wrong size of compress ZIP files.)
* F-Prot 4.4.2 for Linux
* Panda Antivirus
* Linux uvscan scan engine 4.3.20 (McAfee)

It is possible to construct an archive containing a file or files that will cause a denial of service condition when a scanner attempts to extract the contents of the archive. Usually files within archives are completely extracted before scanned, which gives rise to this vulnerability.

Such a malicious file can be obtain from http://www.geocities.com/visitbipin/SERVER_dwn.zip.

Moreover it's not safe to set automatically 'Quarantine/delete' option set for your AV scanner as it may try to Quarantine the virus by extracting the archive.

The exhibited behavior when a scanner attempts to scan the file is along the lines of the one seen for uvscan in the following example, which shows the output from the 'top' system monitoring utility:
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
1306 nobody 15 0 22744 21M 1648 R 97.4 35.6 0:44 0 uvscan

The information has been provided by bipin gautam.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hurray for Nepali talent

This was discovered by Bipin, a good friend of mine who's a young teenager involved in security research as a hobby and a group activity (http://www.nepsecure.tk). This discovery is quite important as it's platform independent i.e. effects linux as well as windows and antivirus software in both client and servers are an integral part of IT infrastructure.

Malformed zipped file...

Interesting, can you provide more information on the malformed zipped file...

Comment