[UNIX] LFTP Buffer Overflow (Malformed HTML File)
From: SecuriTeam (support_at_securiteam.com)
Date: 12/14/03
- Previous message: SecuriTeam: "[UNIX] sipD Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Dec 2003 17:14:50 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
LFTP Buffer Overflow (Malformed HTML File)
------------------------------------------------------------------------
SUMMARY
<http://lftp.yar.ru/> lftp is "a sophisticated command line based FTP
client. It has a multithreaded design allowing you to issue and execute
multiple commands simultaneously or in the background. It also features
mirroring capabilities and will reconnect and continue transfers in the
event of a disconnection. In addition, if you quit the program while
transfers are still in progress, it will switch to NOHUP mode and finish
the transfers in the background. With HTTP, HTTPS and FTP over SSL
support".
The product has been found to contain two-buffer overflow. Both of them
occur when you connect to a web server with LFTP using HTTP or HTTPS, and
then use LFTP's "ls" or "rels" commands on specially prepared directories
on the web server.
DETAILS
Vulnerable systems:
* LFTP versions 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9
Immune systems:
* LFTP version 2.6.10
The problem lies in the file src/HttpDir.cc and the functions
try_netscape_proxy() and try_squid_eplf(), which both have sscanf() calls
that take data of an arbitrary length and store it in a char array with 32
elements (Back in version 2.3.0, the problematic code was located in some
other function, but the problem existed back then too).
Depending on the HTML document in the specially prepared directory,
buffers will be overflow in either one function or the other.
Solution:
You can solve this problem by upgrading to 2.6.10.
Recreation:
You can recreate the issue by storing the following HTML file on a web
server, and then redirecting lftp to it:
<a href="/">buffy</a> Fri May 30 10:09:06 2001
5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUU
ADDITIONAL INFORMATION
The information has been provided by Ulf Härnhammar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] sipD Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] wget and curl NTLM Username Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... package for retrieving files using
HTTP, HTTPS and FTP, the most ... curl supports HTTPS certificates, HTTP POST, ...
The vulnerability specifically exists due to insufficient bounds checking ... (Securiteam) - [UNIX] Kaffeine Media Player Content-Type Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow attack is possible
in kaffeine by supplying a RealAudio ... http: content type = 'text/plain;' ...
Previous frame inner to this frame ... (Securiteam) - [NEWS] GCALDaemon DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Java program that offers
two-way synchronization between Google Calendar ... over HTTP, by uploading their
file via an HTTP PUT and getting/refreshing ... (Securiteam) - [NEWS] SAP WebAS URL Manipulation
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SAP Web Application Server
is the application platform of SAP ... Also the vulnerability may aid an attacker in manipulating
the way a ... http request URL, followed by the characters to be inserted, replacing all
... (Securiteam) - [UNIX] cURL Buffer Overflow (tftp URL)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... cURL Buffer Overflow (tftp
URL) ... curl supports HTTPS certificates, HTTP POST, HTTP ... (Securiteam)