[UNIX] LFTP Buffer Overflow (Malformed HTML File)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/14/03

  • Next message: SecuriTeam: "[NT] DameWare Mini Remote Control Buffer Overflow"
    To: list@securiteam.com
    Date: 14 Dec 2003 17:14:50 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      LFTP Buffer Overflow (Malformed HTML File)
    ------------------------------------------------------------------------

    SUMMARY

     <http://lftp.yar.ru/> lftp is "a sophisticated command line based FTP
    client. It has a multithreaded design allowing you to issue and execute
    multiple commands simultaneously or in the background. It also features
    mirroring capabilities and will reconnect and continue transfers in the
    event of a disconnection. In addition, if you quit the program while
    transfers are still in progress, it will switch to NOHUP mode and finish
    the transfers in the background. With HTTP, HTTPS and FTP over SSL
    support".

    The product has been found to contain two-buffer overflow. Both of them
    occur when you connect to a web server with LFTP using HTTP or HTTPS, and
    then use LFTP's "ls" or "rels" commands on specially prepared directories
    on the web server.

    DETAILS

    Vulnerable systems:
     * LFTP versions 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9

    Immune systems:
     * LFTP version 2.6.10

    The problem lies in the file src/HttpDir.cc and the functions
    try_netscape_proxy() and try_squid_eplf(), which both have sscanf() calls
    that take data of an arbitrary length and store it in a char array with 32
    elements (Back in version 2.3.0, the problematic code was located in some
    other function, but the problem existed back then too).

    Depending on the HTML document in the specially prepared directory,
    buffers will be overflow in either one function or the other.

    Solution:
    You can solve this problem by upgrading to 2.6.10.

    Recreation:
    You can recreate the issue by storing the following HTML file on a web
    server, and then redirecting lftp to it:
    <a href="/">buffy</a> Fri May 30 10:09:06 2001
    5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUU

    ADDITIONAL INFORMATION

    The information has been provided by Ulf Härnhammar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] DameWare Mini Remote Control Buffer Overflow"

    Relevant Pages

    • [UNIX] wget and curl NTLM Username Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... package for retrieving files using HTTP, HTTPS and FTP, the most ... curl supports HTTPS certificates, HTTP POST, ... The vulnerability specifically exists due to insufficient bounds checking ...
      (Securiteam)
    • [UNIX] Kaffeine Media Player Content-Type Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow attack is possible in kaffeine by supplying a RealAudio ... http: content type = 'text/plain;' ... Previous frame inner to this frame ...
      (Securiteam)
    • [NEWS] GCALDaemon DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Java program that offers two-way synchronization between Google Calendar ... over HTTP, by uploading their file via an HTTP PUT and getting/refreshing ...
      (Securiteam)
    • [NEWS] SAP WebAS URL Manipulation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SAP Web Application Server is the application platform of SAP ... Also the vulnerability may aid an attacker in manipulating the way a ... http request URL, followed by the characters to be inserted, replacing all ...
      (Securiteam)
    • [UNIX] cURL Buffer Overflow (tftp URL)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... cURL Buffer Overflow (tftp URL) ... curl supports HTTPS certificates, HTTP POST, HTTP ...
      (Securiteam)