[Full-Disclosure] lftp buffer overflows

• Previous message: Menashe Eliezer: "[Full-Disclosure] Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Sun, 14 Dec 2003 00:08:04 +0100

lftp buffer overflows
---------------------

PROGRAM: lftp
VENDOR: Alexander V. Lukyanov et al.
HOMEPAGE: http://lftp.yar.ru/
VULNERABLE VERSIONS: 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9,
probably all versions inbetween
IMMUNE VERSIONS: 2.6.10, older versions with my patch applied

* PROGRAM DESCRIPTION *

"lftp is a sophisticated command line based FTP client. It has a
multithreaded design allowing you to issue and execute multiple
commands simultaneosly or in the background. It also features
mirroring capabilities and will reconnect and continue transfers in
the event of a disconnection. Also, if you quit the program while
transfers are still in progress, it will switch to nohup mode and
finish the transfers in the background. HTTP protocol and FTP over
HTTP proxy are supported. Version 2.3.0 includes HTTPS and FTP over
SSL support."

(direct quote from the program's project page at Freshmeat)

lftp is free software/open source software, published under the
terms of the GNU General Public License.

It is one of the packages or ports in Red Hat Linux, SuSE Linux,
Debian GNU/Linux, Slackware Linux, Mandrake Linux, Gentoo Linux,
Conectiva Linux, OpenPKG, Yellow Dog Linux, Openwall GNU/*/Linux
(Owl), ALT Linux, FreeBSD, NetBSD and OpenBSD, among others.

* SUMMARY *

I have found two buffer overflow security problems in lftp. They
both occur when you connect to a web server with lftp using HTTP or
HTTPS, and then use lftp's "ls" or "rels" commands on specially
prepared directories on the web server.

* TECHNICAL DETAILS *

Technically, the problem lies in the file src/HttpDir.cc and the
functions try_netscape_proxy() and try_squid_eplf(), which both
have sscanf() calls that take data of an arbitrary length and
store it in a char array with 32 elements. (Back in version 2.3.0,
the problematic code was located in some other function, but the
problem existed back then too.)

Depending on the HTML document in the specially prepared directory,
buffers will be overflown in either one function or the other.

* SESSION CAPTURE *

[metaur@hostname src]$ ./lftp -v
Lftp | Version 2.6.9 | Copyright (c) 1996-2002 Alexander V. Lukyanov
This is free software with ABSOLUTELY NO WARRANTY. See COPYING for details.
Send bug reports and questions to <lftp@uniyar.ac.ru>.
[metaur@hostname src]$ ./lftp
lftp :~> open http://localhost/buffy/
lftp localhost:/buffy> ls
Segmentation fault
[metaur@hostname src]$ gdb lftp
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) r
Starting program: /none/of/your/business/lftp-2.6.9/src/lftp
lftp :~> open http://localhost/buffy/
lftp localhost:/buffy> ls

Program received signal SIGSEGV, Segmentation fault.
0x0808e22c in FileSet::FindGEIndByName(char const*) const ()
(gdb) bt
#0 0x0808e22c in FileSet::FindGEIndByName(char const*) const ()
#1 0x0808e2b1 in FileSet::FindByName(char const*) const ()
#2 0x080af550 in file_info::validate() ()
(gdb) i r
eax 0x55555555 1431655765
ecx 0x80e3af8 135150328
edx 0xb7f1b422 -1208896478
ebx 0x55555555 1431655765
esp 0xbfffeaa0 0xbfffeaa0
ebp 0xbfffeab8 0xbfffeab8
esi 0xbffff5c0 -1073744448
edi 0x55555555 1431655765
eip 0x808e22c 0x808e22c
eflags 0x210286 2163334
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x33 51
(gdb) quit
The program is running. Exit anyway? (y or n) y
[metaur@hostname src]$

(Developing an exploit for this is left as an exercise to the
malicious reader.)

* SOLVING THE PROBLEM *

You solve this problem by upgrading to 2.6.10 or by applying my
attached patch. 2.6.10 is currently only available from lftp's FTP
site, not from its homepage.

* ATTACHED FILES *

I have attached a .tar.gz archive with a patch for this problem
(I have diffed against lftp 2.6.9) and an HTML document that
exhibits this behaviour. You install the document as index.html
in some directory on a web server, and then use lftp's "open" and
"ls" commands.

In case your system administrator doesn't like .tar.gz
attachments, I have also put it up for downloading at
http://labben.abm.uu.se/~ulha9485/lftp-advisory-data.tar.gz

* TIMELINE *

5 dec: Alexander and the vendor-sec list (vendor-sec@lst.de)
were contacted
5 dec: Discussion on the vendor-sec list starts
8 dec: Alexander replies that my patch is committed to CVS
11 dec: Alexander releases lftp 2.6.10
12 dec: Slackware releases their security update and advisory
14 dec: I release this advisory

* IRC KIDDIES *

K: "h3y u ph0und 4 buphph3r 0v3rphl0w (th3 0nly r34l s3cur1ty h0l3)
    1n lftp!!!! n0w u c4n h4ng 0ut w1th us 1n #0d4yw4r3z 4nd u c4n
    3v3n b0rr0w my l1nk1n p4rk cdzZz!!!!1!!11!!!1!!"

U: "Virgin."

// Ulf Härnhammar
   kses - PHP HTML/XHTML filter (no XSS)
   http://sourceforge.net/projects/kses

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• application/gzip attachment: lftp-advisory-data.tar.gz

• Previous message: Menashe Eliezer: "[Full-Disclosure] Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]