Autor: Chris Meadors Data: A: exim-users Assumpte: Re: [exim] [OT] Emergency!!! Is anyone else getting this virus/worm?
On Sun, 2004-11-14 at 17:50 +0100, patrick coeman wrote:
> And about the attachment: Just make a few 100MB or GB file with only the
> letter a in it and let some zip program use the max compression. Indeed
> you receive a very small attachment. We played with that in pre-internet
> times (Fidonet) to test mailsoftware.
And because these zip bombs have existed since pre-Internet days, every
scanner I have ever seen has the ability to look at the compress vs.
uncompressed size of the file inside an archive and refuse to unpack
something that will blow up many times its compressed size.
ClamAV is included in the list of programs that have protection from
this type of attack. But there are settings to control what compression
ratio is allowed to be expanded. It was theorized the original poster
had changed these settings and exposed themselves to the problem. I
don't think the original poster wrote back, so I assume that theory was
correct.
In other words this attack will not effect the majority of servers out
there.
Although there was recently a bug found that if the header of a zip file
was altered to report the size of a file to be 0 bytes many scanners
would skip over the file assuming it to be safe. I wonder if the same
trick could be played to make the compression ratio look lower than it
actually is...
