[Please upgrade if you use lftp -- Raju] This is an RFC 1153 digest. (1 message) ----------------------------------------------------------------------
MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="-MOQ1071356882dc7d28edc7f4b82aef7a3d66873a35ad" Message-ID: <[EMAIL PROTECTED]> From: =?iso-8859-1?b?SORybmhhbW1hciw=?= Ulf <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [Full-Disclosure] lftp buffer overflows Date: Sun, 14 Dec 2003 00:08:04 +0100 This message is in MIME format. ---MOQ1071356882dc7d28edc7f4b82aef7a3d66873a35ad Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable lftp buffer overflows --------------------- PROGRAM: lftp VENDOR: Alexander V. Lukyanov et al. HOMEPAGE: http://lftp.yar.ru/ VULNERABLE VERSIONS: 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9, probably all versions inbetween IMMUNE VERSIONS: 2.6.10, older versions with my patch applied * PROGRAM DESCRIPTION * "lftp is a sophisticated command line based FTP client. It has a multithreaded design allowing you to issue and execute multiple commands simultaneosly or in the background. It also features mirroring capabilities and will reconnect and continue transfers in the event of a disconnection. Also, if you quit the program while transfers are still in progress, it will switch to nohup mode and finish the transfers in the background. HTTP protocol and FTP over HTTP proxy are supported. Version 2.3.0 includes HTTPS and FTP over SSL support." (direct quote from the program's project page at Freshmeat) lftp is free software/open source software, published under the terms of the GNU General Public License. It is one of the packages or ports in Red Hat Linux, SuSE Linux, Debian GNU/Linux, Slackware Linux, Mandrake Linux, Gentoo Linux, Conectiva Linux, OpenPKG, Yellow Dog Linux, Openwall GNU/*/Linux (Owl), ALT Linux, FreeBSD, NetBSD and OpenBSD, among others. * SUMMARY * I have found two buffer overflow security problems in lftp. They both occur when you connect to a web server with lftp using HTTP or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared directories on the web server. * TECHNICAL DETAILS * Technically, the problem lies in the file src/HttpDir.cc and the functions try_netscape_proxy() and try_squid_eplf(), which both have sscanf() calls that take data of an arbitrary length and store it in a char array with 32 elements. (Back in version 2.3.0, the problematic code was located in some other function, but the problem existed back then too.) Depending on the HTML document in the specially prepared directory, buffers will be overflown in either one function or the other. * SESSION CAPTURE * [EMAIL PROTECTED] src]$ ./lftp -v Lftp | Version 2.6.9 | Copyright (c) 1996-2002 Alexander V. Lukyanov This is free software with ABSOLUTELY NO WARRANTY. See COPYING for detail= s. Send bug reports and questions to <[EMAIL PROTECTED]>. [EMAIL PROTECTED] src]$ ./lftp lftp :~> open http://localhost/buffy/ lftp localhost:/buffy> ls Segmentation fault [EMAIL PROTECTED] src]$ gdb lftp GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you = are welcome to change it and/or distribute copies of it under certain conditi= ons. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for detail= s. This GDB was configured as "i386-redhat-linux-gnu"... (gdb) r Starting program: /none/of/your/business/lftp-2.6.9/src/lftp lftp :~> open http://localhost/buffy/ lftp localhost:/buffy> ls Program received signal SIGSEGV, Segmentation fault. 0x0808e22c in FileSet::FindGEIndByName(char const*) const () (gdb) bt #0 0x0808e22c in FileSet::FindGEIndByName(char const*) const () #1 0x0808e2b1 in FileSet::FindByName(char const*) const () #2 0x080af550 in file_info::validate() () (gdb) i r eax 0x55555555 1431655765 ecx 0x80e3af8 135150328 edx 0xb7f1b422 -1208896478 ebx 0x55555555 1431655765 esp 0xbfffeaa0 0xbfffeaa0 ebp 0xbfffeab8 0xbfffeab8 esi 0xbffff5c0 -1073744448 edi 0x55555555 1431655765 eip 0x808e22c 0x808e22c eflags 0x210286 2163334 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) quit The program is running. Exit anyway? (y or n) y [EMAIL PROTECTED] src]$ (Developing an exploit for this is left as an exercise to the malicious reader.) * SOLVING THE PROBLEM * You solve this problem by upgrading to 2.6.10 or by applying my attached patch. 2.6.10 is currently only available from lftp's FTP site, not from its homepage. * ATTACHED FILES * I have attached a .tar.gz archive with a patch for this problem (I have diffed against lftp 2.6.9) and an HTML document that exhibits this behaviour. You install the document as index.html in some directory on a web server, and then use lftp's "open" and "ls" commands. In case your system administrator doesn't like .tar.gz attachments, I have also put it up for downloading at http://labben.abm.uu.se/~ulha9485/lftp-advisory-data.tar.gz * TIMELINE * 5 dec: Alexander and the vendor-sec list ([EMAIL PROTECTED]) were contacted 5 dec: Discussion on the vendor-sec list starts 8 dec: Alexander replies that my patch is committed to CVS 11 dec: Alexander releases lftp 2.6.10 12 dec: Slackware releases their security update and advisory 14 dec: I release this advisory * IRC KIDDIES * K: "h3y u ph0und 4 buphph3r 0v3rphl0w (th3 0nly r34l s3cur1ty h0l3) 1n lftp!!!! n0w u c4n h4ng 0ut w1th us 1n #0d4yw4r3z 4nd u c4n 3v3n b0rr0w my l1nk1n p4rk cdzZz!!!!1!!11!!!1!!" U: "Virgin." // Ulf H=E4rnhammar kses - PHP HTML/XHTML filter (no XSS) http://sourceforge.net/projects/kses ---MOQ1071356882dc7d28edc7f4b82aef7a3d66873a35ad Content-Type: application/gzip; name="lftp-advisory-data.tar.gz" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="lftp-advisory-data.tar.gz" H4sICAVH2z8AA2xmdHAtYWR2aXNvcnktZGF0YS50YXIA7ZVbb9owFIB5Lb/iDKkMBEkcnAulpeJh q/awTX3ZU1UhkzhgDRJmO1szdf99TgiT6FqhbmhV1/NJjhP7XOJzSZaJXlss/ipUJgsrZpo5jUND iEfC0DczIWHg7cw1DSMQBIFHKQkbxPUGxGuAf/A3uYdcaSYBGiuuWS4fltu3/0xZ/p7/WZ4khSXS mN/YC71a/rUP4hISeN6D+fcC907+Q0qCBpADnG8vLzz/ZwwWkifjltM6rxJ/5rBzqLmQAj6wAigB l4zIyYgEMCDEBf/TS6X51Ak7MPf0f7lkr5mOFgfysaf/XZ/4d/o/cAPs/3+CZVlQ1cDADuwTR8nI eaf1+o2QdhTZ2TI+Mg1PLTK0XBfc0HwBRtSzf/23oUfMfrPX6z1sZWPBHVjEB5eO6MnI83csmPJo TiZgUd/vh9DbTJNJs/4KxXyWzzutj1yriK25dSmzmwIGtk9hKZQW6RxWZbXyuNU93SpJrnOZgpY5 36z9aFrmmo6VMZImHaVlv3VMFVQjhuNBPKoHHHtmqFa/2XuUBiWlDhyV3r5x/nkas6Iv0iSzV1mq F9OUrXi/XS2UO7XkZmGR5bLeW4k011tBxaMsjeuHgjO5MajEdz41L1SfVySddDwO4fYWypshtNvw SqgpU5EQ01jMhe7s6F2R6263uwl6SKugV1Md9Eo2Whp3ndJDtRYtTJtsj3XlXZ9W8RSp/oOYPk7r qeM67ILjmBIrZhzUl1zErxW8vXx/sa0++3/7JyAIgiAIgiAIgiAIgiAIgiAIgiAI8jz5CR33jH8A KAAA ---MOQ1071356882dc7d28edc7f4b82aef7a3d66873a35ad-- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd