[UNIX] LFTP Buffer Overflow (Malformed HTML File)

• Previous message: SecuriTeam: "[UNIX] sipD Format String Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 14 Dec 2003 17:14:50 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  LFTP Buffer Overflow (Malformed HTML File)
------------------------------------------------------------------------

SUMMARY

 <http://lftp.yar.ru/> lftp is "a sophisticated command line based FTP
client. It has a multithreaded design allowing you to issue and execute
multiple commands simultaneously or in the background. It also features
mirroring capabilities and will reconnect and continue transfers in the
event of a disconnection. In addition, if you quit the program while
transfers are still in progress, it will switch to NOHUP mode and finish
the transfers in the background. With HTTP, HTTPS and FTP over SSL
support".

The product has been found to contain two-buffer overflow. Both of them
occur when you connect to a web server with LFTP using HTTP or HTTPS, and
then use LFTP's "ls" or "rels" commands on specially prepared directories
on the web server.

DETAILS

Vulnerable systems:
 * LFTP versions 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9

Immune systems:
 * LFTP version 2.6.10

The problem lies in the file src/HttpDir.cc and the functions
try_netscape_proxy() and try_squid_eplf(), which both have sscanf() calls
that take data of an arbitrary length and store it in a char array with 32
elements (Back in version 2.3.0, the problematic code was located in some
other function, but the problem existed back then too).

Depending on the HTML document in the specially prepared directory,
buffers will be overflow in either one function or the other.

Solution:
You can solve this problem by upgrading to 2.6.10.

Recreation:
You can recreate the issue by storing the following HTML file on a web
server, and then redirecting lftp to it:
<a href="/">buffy</a> Fri May 30 10:09:06 2001
5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUU

ADDITIONAL INFORMATION

The information has been provided by Ulf Härnhammar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] sipD Format String Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]