[UNIX] Buffer Overflows and Directory Traversal in LHA

• Previous message: SecuriTeam: "[UNIX] SquirrelMail Cross Scripting Attacks (compose.php)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 2 May 2004 18:09:35 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Buffer Overflows and Directory Traversal in LHA
------------------------------------------------------------------------

SUMMARY

 <http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/> LHa for UNIX is a
console-based utility that uncompresses and compresses .lha packages. Four
security vulnerabilities have been found in the LHa archive
compressor/decompressor, two allow overflowing of internal buffers
(allowing the execution of arbitrary code). The other two allow traversing
into directories that are outside the bounding directory given to the
product (allowing overwriting of sensitive files).

DETAILS

VulnerableSystems:
 * LHa version 1.14d to 1.14i
 * LHa version 1.17 (Linux binary)

Immune Systems:
 * Unofficial patch for versions 1.14i and 1.14h is provided below

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0234>
CAN-2004-0234 (buffer overflows)
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0235>
CAN-2004-0235 (directory traversal)

LHa has two stack-based buffer overflows and two directory traversal
problems. Malicious people can abuse them in many different ways:
 * Some mail virus scanners require LHa and run it automatically on
attached files in e-mail messages
 * Some web applications allow uploading and unpacking of LHa archives
 * Other people set up their web browsers to start LHa automatically after
downloading an LHarc archive
 * Social engineering is probably quite effective in this case.

Buffer Overflows:
The buffer overflows in LHa occur when testing (t) or extracting (x)
archives where the archive contents have too long filenames or directory
names. The cause of the problem is the function get_header() in header.c.
This function first reads the lengths of filenames or directory names from
the archive, and then it reads that many bytes to a char array (one for
filenames and one for directory names) without checking if the array is
big enough.

By exploiting this bug, you get control over several registers including
EIP, as you can see in this session capture:

$ lha t buf_oflow.lha
LHa: Error: Unknown information
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUU
Segmentation fault
$ lha x buf_oflow.lha
LHa: Error: Unknown information
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUU
Segmentation fault
$ gdb lha
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. ?Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) r x buf_oflow.lha
Starting program: /usr/bin/lha x buf_oflow.lha
LHa: Error: Unknown information
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUU

Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) bt
#0 ?0x55555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax 0x4001e4a0 1073865888
ecx 0xffffffe0 -32
edx 0x24 36
ebx 0x55555555 1431655765
esp 0xbfffdd50 0xbfffdd50
ebp 0x55555555 0x55555555
esi 0x55555555 1431655765
edi 0x55555555 1431655765
eip 0x55555555 0x55555555
eflags ? 0x210282 2163330
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x33 51
(gdb) r t buf_oflow.lha
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/bin/lha t buf_oflow.lha
LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) bt
#0 ?0x55555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax 0x4001e4a0 1073865888
ecx 0xffffffe0 -32
edx 0x24 36
ebx 0x55555555 1431655765
esp 0xbfffe6d0 0xbfffe6d0
ebp 0x55555555 0x55555555
esi 0x55555555 1431655765
edi 0x55555555 1431655765
eip 0x55555555 0x55555555
eflags ? 0x210286 2163334
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x33 51
(gdb) q
The program is running. ?Exit anyway? (y or n) y
$

Directory Traversal:
LHa has directory traversal problems, both with absolute paths and
relative paths. There is no protection against relative paths at all, so
you can simply use the LHa binary to create an archive with paths like
"../../../../../etc/cron.d/evil". There is some simple protection against
absolute paths, namely skipping the first character if it is a slash, but
again you can simply use the binary to create archives with paths like
"/etc/cron.d/evil".

Disclosure Timeline:
18 Apr: contacted the vendor-sec list and the LHa 1.14 author
18 Apr: tried to contact the LHa 1.17 author with a web form and a guessed
e-mail address that bounced
19 Apr: reply from the vendor-sec list with CVE references
30 Apr: Red Hat released their advisory
01 May: I release this advisory

Patch:
Below is an unofficial patch for some of the 1.14 versions of LHa:

--- header.c.old 2000-10-05 19:36:03.000000000 +0200
+++ header.c 2004-04-17 23:55:54.000000000 +0200
@@ -538,6 +538,10 @@
     /*
      * filename
      */
+ if (header_size >= 256) {
+ fprintf(stderr, "Possible buffer overflow hack attack, type #1\n");
+ exit(109);
+ }
     for (i = 0; i < header_size - 3; i++)
      hdr->name[i] = (char) get_byte();
     hdr->name[header_size - 3] = '\0';
@@ -547,6 +551,10 @@
     /*
      * directory
      */
+ if (header_size >= FILENAME_LENGTH) {
+ fprintf(stderr, "Possible buffer overflow hack attack, type #2\n");
+ exit(110);
+ }
     for (i = 0; i < header_size - 3; i++)
      dirname[i] = (char) get_byte();
     dirname[header_size - 3] = '\0';
--- lhext.c.old 2000-10-04 16:57:38.000000000 +0200
+++ lhext.c 2004-04-18 01:27:44.000000000 +0200
@@ -190,8 +190,13 @@
   q = (char *) rindex(hdr->name, '/') + 1;
  }
  else {
+ if (is_directory_traversal(q)) {
+ fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q);
+ exit(111);
+ }
+
   if (*q == '/') {
- q++;
+ while (*q == '/') { q++; }
    /*
     * if OSK then strip device name
     */
@@ -419,6 +424,33 @@
  return;
 }
 
+int
+is_directory_traversal(char *string)
+{
+ unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than
dots */
+ char *temp;
+
+ temp = string;
+
+ while (*temp != 0) {
+ if (temp[0] == '/') {
+ if (type == 1) { return 1; }
+ type = 0;
+ temp++;
+ continue;
+ }
+
+ if ((temp[0] == '.') && (type < 2))
+ type = 1;
+ if (temp[0] != '.')
+ type = 2;
+
+ temp++;
+ } /* while */
+
+ return (type == 1);
+}
+
 /* Local Variables: */
 /* mode:c */
 /* tab-width:4 */

ADDITIONAL INFORMATION

The information has been provided by
<mailto:Ulf.Harnhammar.9485@student.uu.se> Ulf Harnhammar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] SquirrelMail Cross Scripting Attacks (compose.php)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]