[UNIX] LFTP Buffer Overflow (Malformed HTML File)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/14/03

  • Next message: SecuriTeam: "[NT] DameWare Mini Remote Control Buffer Overflow" 
    To: list@securiteam.com
Date: 14 Dec 2003 17:14:50 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      LFTP Buffer Overflow (Malformed HTML File)
    ------------------------------------------------------------------------

    SUMMARY

     <http://lftp.yar.ru/> lftp is "a sophisticated command line based FTP
    client. It has a multithreaded design allowing you to issue and execute
    multiple commands simultaneously or in the background. It also features
    mirroring capabilities and will reconnect and continue transfers in the
    event of a disconnection. In addition, if you quit the program while
    transfers are still in progress, it will switch to NOHUP mode and finish
    the transfers in the background. With HTTP, HTTPS and FTP over SSL
    support".

    The product has been found to contain two-buffer overflow. Both of them
    occur when you connect to a web server with LFTP using HTTP or HTTPS, and
    then use LFTP's "ls" or "rels" commands on specially prepared directories
    on the web server.

    DETAILS

    Vulnerable systems:
     * LFTP versions 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9

    Immune systems:
     * LFTP version 2.6.10

    The problem lies in the file src/HttpDir.cc and the functions
    try_netscape_proxy() and try_squid_eplf(), which both have sscanf() calls
    that take data of an arbitrary length and store it in a char array with 32
    elements (Back in version 2.3.0, the problematic code was located in some
    other function, but the problem existed back then too).

    Depending on the HTML document in the specially prepared directory,
    buffers will be overflow in either one function or the other.

    Solution:
    You can solve this problem by upgrading to 2.6.10.

    Recreation:
    You can recreate the issue by storing the following HTML file on a web
    server, and then redirecting lftp to it:
    <a href="/">buffy</a> Fri May 30 10:09:06 2001
    5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUU

    ADDITIONAL INFORMATION

    The information has been provided by Ulf Härnhammar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] DameWare Mini Remote Control Buffer Overflow"

    Relevant Pages