lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1071356884.3fdb9bd41269e@webmail.student.uu.se>
From: Ulf.Harnhammar.9485 at student.uu.se (Härnhammar, Ulf)
Subject: lftp buffer overflows

lftp buffer overflows
---------------------


PROGRAM: lftp
VENDOR: Alexander V. Lukyanov et al.
HOMEPAGE: http://lftp.yar.ru/
VULNERABLE VERSIONS: 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9,
probably all versions inbetween
IMMUNE VERSIONS: 2.6.10, older versions with my patch applied


* PROGRAM DESCRIPTION *


"lftp is a sophisticated command line based FTP client. It has a
multithreaded design allowing you to issue and execute multiple
commands simultaneosly or in the background. It also features
mirroring capabilities and will reconnect and continue transfers in
the event of a disconnection. Also, if you quit the program while
transfers are still in progress, it will switch to nohup mode and
finish the transfers in the background. HTTP protocol and FTP over
HTTP proxy are supported. Version 2.3.0 includes HTTPS and FTP over
SSL support."

(direct quote from the program's project page at Freshmeat)

lftp is free software/open source software, published under the
terms of the GNU General Public License.

It is one of the packages or ports in Red Hat Linux, SuSE Linux,
Debian GNU/Linux, Slackware Linux, Mandrake Linux, Gentoo Linux,
Conectiva Linux, OpenPKG, Yellow Dog Linux, Openwall GNU/*/Linux
(Owl), ALT Linux, FreeBSD, NetBSD and OpenBSD, among others.


* SUMMARY *


I have found two buffer overflow security problems in lftp. They
both occur when you connect to a web server with lftp using HTTP or
HTTPS, and then use lftp's "ls" or "rels" commands on specially
prepared directories on the web server.


* TECHNICAL DETAILS *


Technically, the problem lies in the file src/HttpDir.cc and the
functions try_netscape_proxy() and try_squid_eplf(), which both
have sscanf() calls that take data of an arbitrary length and
store it in a char array with 32 elements. (Back in version 2.3.0,
the problematic code was located in some other function, but the
problem existed back then too.)

Depending on the HTML document in the specially prepared directory,
buffers will be overflown in either one function or the other.


* SESSION CAPTURE *


[metaur@...tname src]$ ./lftp -v
Lftp | Version 2.6.9 | Copyright (c) 1996-2002 Alexander V. Lukyanov
This is free software with ABSOLUTELY NO WARRANTY. See COPYING for details.
Send bug reports and questions to <lftp@...yar.ac.ru>.
[metaur@...tname src]$ ./lftp
lftp :~> open http://localhost/buffy/
lftp localhost:/buffy> ls
Segmentation fault
[metaur@...tname src]$ gdb lftp
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) r
Starting program: /none/of/your/business/lftp-2.6.9/src/lftp
lftp :~> open http://localhost/buffy/
lftp localhost:/buffy> ls

Program received signal SIGSEGV, Segmentation fault.
0x0808e22c in FileSet::FindGEIndByName(char const*) const ()
(gdb) bt
#0  0x0808e22c in FileSet::FindGEIndByName(char const*) const ()
#1  0x0808e2b1 in FileSet::FindByName(char const*) const ()
#2  0x080af550 in file_info::validate() ()
(gdb) i r
eax            0x55555555       1431655765
ecx            0x80e3af8        135150328
edx            0xb7f1b422       -1208896478
ebx            0x55555555       1431655765
esp            0xbfffeaa0       0xbfffeaa0
ebp            0xbfffeab8       0xbfffeab8
esi            0xbffff5c0       -1073744448
edi            0x55555555       1431655765
eip            0x808e22c        0x808e22c
eflags         0x210286 2163334
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x33     51
(gdb) quit
The program is running.  Exit anyway? (y or n) y
[metaur@...tname src]$

(Developing an exploit for this is left as an exercise to the
malicious reader.)


* SOLVING THE PROBLEM *


You solve this problem by upgrading to 2.6.10 or by applying my
attached patch. 2.6.10 is currently only available from lftp's FTP
site, not from its homepage.


* ATTACHED FILES *


I have attached a .tar.gz archive with a patch for this problem
(I have diffed against lftp 2.6.9) and an HTML document that
exhibits this behaviour. You install the document as index.html
in some directory on a web server, and then use lftp's "open" and
"ls" commands.

In case your system administrator doesn't like .tar.gz
attachments, I have also put it up for downloading at
http://labben.abm.uu.se/~ulha9485/lftp-advisory-data.tar.gz


* TIMELINE *


5 dec: Alexander and the vendor-sec list (vendor-sec@....de)
were contacted
5 dec: Discussion on the vendor-sec list starts
8 dec: Alexander replies that my patch is committed to CVS
11 dec: Alexander releases lftp 2.6.10
12 dec: Slackware releases their security update and advisory
14 dec: I release this advisory


* IRC KIDDIES *


K: "h3y u ph0und 4 buphph3r 0v3rphl0w (th3 0nly r34l s3cur1ty h0l3)
    1n lftp!!!! n0w u c4n h4ng 0ut w1th us 1n #0d4yw4r3z 4nd u c4n
    3v3n b0rr0w my l1nk1n p4rk cdzZz!!!!1!!11!!!1!!"

U: "Virgin."


// Ulf H?rnhammar
   kses - PHP HTML/XHTML filter (no XSS)
   http://sourceforge.net/projects/kses

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lftp-advisory-data.tar.gz
Type: application/gzip
Size: 630 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031214/ab91aae0/lftp-advisory-data.tar.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ