CVE-2004-0234
CVSS10.0
发布时间 :2004-08-18 00:00:00
修订时间 :2016-10-17 22:42:08
NMCOPS    

[原文]Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.


[CNNVD]LHA缓冲区溢出/目录遍历漏洞(CNNVD-200408-202)

        
        LHa是一款基于控制台的解压缩程序。
        LHa存在两个缓冲区溢出和两个目录遍历问题,远程攻击者可以利用这些漏洞以进程权限在系统上执行任意指令或破坏系统。
        缓冲区溢出发生在测试(t)或者展开(x)操作时,对超长文件名或目录名进行解析时,get_header()函数会发生缓冲区溢出。精心构建文件名或目录名可以进程权限执行任意指令。
        另外就是对相对路径没有任何保护,可简单使用LHA建立路径类似"../../../../../etc/cron.d/evil"的压缩包,虽然对绝对路径有保护,但可使用类似"//etc/cron.d/evil"的路径形式绕过。攻击者可以构建简单包当LHA操作时破坏系统文件。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:clearswift:mailsweeper:4.3.4
cpe:/a:clearswift:mailsweeper:4.3.3
cpe:/a:redhat:lha:1.14i-9::i386
cpe:/a:f-secure:f-secure_anti-virus:4.52::linux_servers
cpe:/a:f-secure:f-secure_for_firewalls:6.20
cpe:/a:rarlab:winrar:3.20
cpe:/a:f-secure:f-secure_anti-virus:4.51::linux_servers
cpe:/a:clearswift:mailsweeper:4.1
cpe:/a:clearswift:mailsweeper:4.0
cpe:/a:f-secure:f-secure_anti-virus:6.21::ms_exchange
cpe:/a:f-secure:f-secure_anti-virus:4.60::samba_servers
cpe:/a:f-secure:f-secure_anti-virus:4.52::linux_workstations
cpe:/a:f-secure:f-secure_anti-virus:5.52::client_security
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/a:f-secure:f-secure_anti-virus:4.51::linux_workstations
cpe:/a:f-secure:internet_gatekeeper:6.32
cpe:/a:f-secure:internet_gatekeeper:6.31
cpe:/a:clearswift:mailsweeper:4.3
cpe:/a:clearswift:mailsweeper:4.2
cpe:/a:f-secure:f-secure_anti-virus:5.41::mimesweeper
cpe:/a:f-secure:f-secure_anti-virus:5.42::windows_servers
cpe:/a:f-secure:f-secure_anti-virus:5.41::windows_servers
cpe:/a:f-secure:f-secure_anti-virus:5.42::mimesweeper
cpe:/a:f-secure:f-secure_anti-virus:4.51::linux_gateways
cpe:/a:f-secure:f-secure_anti-virus:4.52::linux_gateways
cpe:/a:f-secure:f-secure_internet_security:2003
cpe:/a:f-secure:f-secure_anti-virus:2003
cpe:/a:f-secure:f-secure_anti-virus:2004
cpe:/a:sgi:propack:3.0SGI ProPack 3.0
cpe:/a:f-secure:f-secure_anti-virus:5.42::workstations
cpe:/a:f-secure:f-secure_anti-virus:5.41::workstations
cpe:/a:clearswift:mailsweeper:4.3.8
cpe:/a:winzip:winzip:9.0WinZip 9.0
cpe:/a:clearswift:mailsweeper:4.3.13
cpe:/a:clearswift:mailsweeper:4.3.6_sp1
cpe:/a:clearswift:mailsweeper:4.3.7
cpe:/a:clearswift:mailsweeper:4.3.10
cpe:/a:clearswift:mailsweeper:4.3.6
cpe:/a:clearswift:mailsweeper:4.3.11
cpe:/a:clearswift:mailsweeper:4.3.5
cpe:/a:f-secure:f-secure_internet_security:2004
cpe:/a:f-secure:f-secure_personal_express:4.6
cpe:/a:stalker:cgpmcafee:3.2
cpe:/a:f-secure:f-secure_personal_express:4.7
cpe:/a:f-secure:f-secure_personal_express:4.5
cpe:/o:redhat:fedora_core:core_1.0
cpe:/a:tsugio_okamoto:lha:1.17
cpe:/a:tsugio_okamoto:lha:1.14
cpe:/a:f-secure:f-secure_anti-virus:5.5::client_security
cpe:/a:tsugio_okamoto:lha:1.15

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9881Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewa...
oval:org.mitre.oval:def:977Multiple BO Vulnerabilities in LHA get_header Function
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0234
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-202
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2006-04/0059.html
(UNKNOWN)  BUGTRAQ  20060403 Barracuda LHA archiver security bug leads to remote compromise
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000840
(UNKNOWN)  CONECTIVA  CLA-2004:840
http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020776.html
(UNKNOWN)  FULLDISC  20040501 LHa buffer overflows and directory traversal problems
http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020778.html
(UNKNOWN)  FULLDISC  20040502 Lha local stack overflow Proof Of Concept Code
http://marc.info/?l=bugtraq&m=108422737918885&w=2
(UNKNOWN)  BUGTRAQ  20040510 [Ulf Harnhammar]: LHA Advisory + Patch
http://security.gentoo.org/glsa/glsa-200405-02.xml
(UNKNOWN)  GENTOO  GLSA-200405-02
http://securitytracker.com/id?1015866
(UNKNOWN)  SECTRACK  1015866
http://www.debian.org/security/2004/dsa-515
(UNKNOWN)  DEBIAN  DSA-515
http://www.guay-leroux.com/projects/barracuda-advisory-LHA.txt
(UNKNOWN)  MISC  http://www.guay-leroux.com/projects/barracuda-advisory-LHA.txt
http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00005.html
(UNKNOWN)  FEDORA  FEDORA-2004-119
http://www.redhat.com/support/errata/RHSA-2004-178.html
(UNKNOWN)  REDHAT  RHSA-2004:178
http://www.redhat.com/support/errata/RHSA-2004-179.html
(UNKNOWN)  REDHAT  RHSA-2004:179
http://www.securityfocus.com/bid/10243
(VENDOR_ADVISORY)  BID  10243
http://www.vupen.com/english/advisories/2006/1220
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1220
http://xforce.iss.net/xforce/xfdb/16012
(VENDOR_ADVISORY)  XF  lha-multiple-bo(16012)
https://bugzilla.fedora.us/show_bug.cgi?id=1833
(UNKNOWN)  FEDORA  FLSA:1833

- 漏洞信息

LHA缓冲区溢出/目录遍历漏洞
危急 未知
2004-08-18 00:00:00 2007-05-22 00:00:00
远程  
        
        LHa是一款基于控制台的解压缩程序。
        LHa存在两个缓冲区溢出和两个目录遍历问题,远程攻击者可以利用这些漏洞以进程权限在系统上执行任意指令或破坏系统。
        缓冲区溢出发生在测试(t)或者展开(x)操作时,对超长文件名或目录名进行解析时,get_header()函数会发生缓冲区溢出。精心构建文件名或目录名可以进程权限执行任意指令。
        另外就是对相对路径没有任何保护,可简单使用LHA建立路径类似"../../../../../etc/cron.d/evil"的压缩包,虽然对绝对路径有保护,但可使用类似"//etc/cron.d/evil"的路径形式绕过。攻击者可以构建简单包当LHA操作时破坏系统文件。
        

- 公告与补丁

        暂无数据

- 漏洞信息 (F33241)

lha.txt (PacketStormID:F33241)
2004-05-04 00:00:00
Ulf Harnhammar  
advisory,overflow
CVE-2004-0234,CVE-2004-0235
[点击下载]

LHa versions 1.14d to 1.14i and 1.17 suffer from buffer overflows and directory traversal flaws.

------------------------------------------------------------------------

LHa buffer overflows and directory traversal problems

PROGRAM: LHa (Unix version)
VENDOR: various people
VULNERABLE VERSIONS: 1.14d to 1.14i
                     1.17 (Linux binary)
                     possibly others
IMMUNE VERSIONS: 1.14i with my patch applied
                 1.14h with my patch applied
LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm
          http://www2m.biglobe.ne.jp/~dolphin/lha/prog/
LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/
REFERENCES: CAN-2004-0234 (buffer overflows)
            CAN-2004-0235 (directory traversal)

* DESCRIPTION *

LHa is a console-based program for packing and unpacking LHarc
archives.

It is one of the packages in Red Hat Linux, Fedora Core, SUSE
Linux, Debian GNU/Linux (non-free), Mandrakelinux, Slackware Linux,
Gentoo Linux, Yellow Dog Linux, Conectiva Linux and ALT Linux.
It is also included in the port/package collections for FreeBSD,
OpenBSD and NetBSD.

* OVERVIEW *

LHa has two stack-based buffer overflows and two directory traversal
problems. They can be abused by malicious people in many different
ways: some mail virus scanners require LHa and run it automatically
on attached files in e-mail messages. Some web applications allow
uploading and unpacking of LHarc archives. Some people set up their
web browsers to start LHa automatically after downloading an LHarc
archive. Finally, social engineering is probably quite effective
in this case.

* TECHNICAL DETAILS *

a) two stack-based buffer overflows

The buffer overflows in LHa occur when testing (t) or extracting
(x) archives where the archive contents have too long filenames
or directory names. The cause of the problem is the function
get_header() in header.c. This function first reads the lengths of
filenames or directory names from the archive, and then it reads
that many bytes to a char array (one for filenames and one for
directory names) without checking if the array is big enough.

By exploiting this bug, you get control over several registers
including EIP, as you can see in this session capture:

$ lha t buf_oflow.lha
LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUU
Segmentation fault
$ lha x buf_oflow.lha
LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUU
Segmentation fault
$ gdb lha
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) r x buf_oflow.lha
Starting program: /usr/bin/lha x buf_oflow.lha
LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUU

Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) bt
#0 0x55555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax 0x4001e4a0 1073865888
ecx 0xffffffe0 -32
edx 0x24 36
ebx 0x55555555 1431655765
esp 0xbfffdd50 0xbfffdd50
ebp 0x55555555 0x55555555
esi 0x55555555 1431655765
edi 0x55555555 1431655765
eip 0x55555555 0x55555555
eflags 0x210282 2163330
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x33 51
(gdb) r t buf_oflow.lha
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/bin/lha t buf_oflow.lha
LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUU

Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) bt
#0 0x55555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax 0x4001e4a0 1073865888
ecx 0xffffffe0 -32
edx 0x24 36
ebx 0x55555555 1431655765
esp 0xbfffe6d0 0xbfffe6d0
ebp 0x55555555 0x55555555
esi 0x55555555 1431655765
edi 0x55555555 1431655765
eip 0x55555555 0x55555555
eflags 0x210286 2163334
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x33 51
(gdb) q
The program is running. Exit anyway? (y or n) y
$

b) two directory traversal problems

LHa has directory traversal problems, both with absolute paths
and relative paths. There is no protection against relative paths
at all, so you can simply use the lha binary to create an archive
with paths like "../../../../../etc/cron.d/evil". There is some
simple protection against absolute paths, namely skipping the first
character if it is a slash, but again you can simply use the binary
to create archives with paths like "//etc/cron.d/evil".

* ATTACHED FILES *

I have written a patch against version 1.14i that corrects all
four problems. The patch is included as an attachment, together
with some test archives.

* TIMELINE *

18 Apr: contacted the vendor-sec list and the LHa 1.14 author
18 Apr: tried to contact the LHa 1.17 author with a web form and
        a guessed e-mail address which bounced
19 Apr: reply from the vendor-sec list with CVE references
30 Apr: Red Hat released their advisory
01 May: I release this advisory

// Ulf Harnhammar
Advogato diary :: http://www.advogato.org/person/metaur/
idiosynkratisk (Swedish electropop zine) :: http://idiosynkratisk.tk/
Debian Security Audit Project :: http://shellcode.org/Audit/

------------------------------------------------------------------------
    

- 漏洞信息

5753
LHA get_header() Function File / Directory Name Handling Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Virus / Malware

- 漏洞描述

A remote overflow exists in LHA. The get_header() function fails to perform proper bounds checking resulting in a buffer overflow. By sending an LHA archive containing files with overly long file or directory names, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-05-02 Unknow
2004-05-01 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. Consult your vendor for an appropriate patch. On June 06, 2004, Lukasz Wojtow demonstrated that the initial patch did not mitigate this vulnerability. Ensure you have the latest vendor patch available.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple LHA Buffer Overflow/Directory Traversal Vulnerabilities
Unknown 10243
Yes No
2004-04-30 12:00:00 2009-07-12 04:07:00
Discovery of these vulnerabilities has been credited to Ulf Harnhammar.

- 受影响的程序版本

WinZip WinZip 9.0
Stalker CGPMcAfee 3.2
+ McAfee Antivirus Engine 4.3.20
SGI ProPack 3.0
SGI ProPack 2.4
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat lha-1.14i-9.i386.rpm
+ RedHat Linux 9.0 i386
Red Hat Fedora Core1
RARLAB WinRar 3.20
Mr. S.K. LHA 1.17
Mr. S.K. LHA 1.15
Mr. S.K. LHA 1.14
McAfee WebShield SMTP 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
McAfee Webshield Appliances
McAfee VirusScan Professional
McAfee VirusScan for NetApp
McAfee VirusScan Enterprise 8.0 i
McAfee VirusScan Command Line
McAfee VirusScan 9.0
McAfee VirusScan 8.0
McAfee VirusScan 7.1
McAfee VirusScan 7.0
McAfee VirusScan 6.0
McAfee VirusScan 5.0
McAfee VirusScan 4.5.1
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
McAfee VirusScan 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
McAfee VirusScan 4.0.3
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
McAfee VirusScan 4.0
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
McAfee VirusScan 3.0
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
McAfee VirusScan 2.0
McAfee VirusScan 1.0
McAfee Virex
McAfee SecurityShield for Microsoft ISA Server
McAfee PortalShield for Microsoft SharePoint
McAfee NetShield for Netware
McAfee Managed VirusScan
McAfee LinuxShield
McAfee Internet Security Suite
McAfee GroupShield for Mail Servers with ePO
McAfee GroupShield for Lotus Domino
McAfee GroupShield for Exchange 5.5
McAfee ASaP VirusScan 0
McAfee Active Virus Defense SMB Edition
McAfee Active Threat Protection
McAfee Active Mail Protection
F-Secure Personal Express 4.7
F-Secure Personal Express 4.6
F-Secure Personal Express 4.5
F-Secure Internet Security 2004
F-Secure Internet Security 2003
F-Secure Internet Gatekeeper 6.32
F-Secure Internet Gatekeeper 6.31
F-Secure F-Secure for Firewalls 6.20
F-Secure Anti-Virus for Workstations 5.42
F-Secure Anti-Virus for Workstations 5.41
F-Secure Anti-Virus for Windows Servers 5.42
F-Secure Anti-Virus for Windows Servers 5.41
F-Secure Anti-Virus for Samba Servers 4.60
F-Secure Anti-Virus for MS Exchange 6.21
F-Secure Anti-Virus for MIMEsweeper 5.42
F-Secure Anti-Virus for MIMEsweeper 5.41
F-Secure Anti-Virus for Linux Workstations 4.52
F-Secure Anti-Virus for Linux Workstations 4.51
F-Secure Anti-Virus for Linux Servers 4.52
F-Secure Anti-Virus for Linux Servers 4.51
F-Secure Anti-Virus for Linux Gateways 4.52
F-Secure Anti-Virus for Linux Gateways 4.51
F-Secure Anti-Virus Client Security 5.52
F-Secure Anti-Virus Client Security 5.50
F-Secure Anti-Virus 2004
F-Secure Anti-Virus 2003
Clearswift MailSweeper 4.3.13
Clearswift MailSweeper 4.3.11
Clearswift MailSweeper 4.3.10
Clearswift MailSweeper 4.3.8
Clearswift MailSweeper 4.3.7
Clearswift MailSweeper 4.3.6 SP1
Clearswift MailSweeper 4.3.6
Clearswift MailSweeper 4.3.5
Clearswift MailSweeper 4.3.4
Clearswift MailSweeper 4.3.3
Clearswift MailSweeper 4.3
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Server SP2
Clearswift MailSweeper 4.2
Clearswift MailSweeper 4.1
Clearswift MailSweeper 4.0
Barracuda Networks Barracuda Spam Firewall 3.1.18 firmware
Barracuda Networks Barracuda Spam Firewall 3.1.17 firmware
Barracuda Networks Barracuda Spam Firewall 3.3.03.022 firmware

- 不受影响的程序版本

Barracuda Networks Barracuda Spam Firewall 3.3.03.022 firmware

- 漏洞讨论


LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on.

The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility.

The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility.

**NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency.

**Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability.

- 漏洞利用

The following proof-of-concept exploit has been supplied by "narko tix" <narkotix@linuxmail.org>. This proof of concept was observed to also cause an access violation in WinZip and WinRAR products.

This vulnerability can be tested using the PIRANA exploitation framework available at the following location:

http://www.guay-leroux.com/projects/pirana-0.2.1.tar.gz

- 解决方案


Please see the referenced advisories for further information.


RedHat lha-1.14i-9.i386.rpm

Mr. S.K. LHA 1.14

SGI ProPack 3.0

F-Secure Anti-Virus for Linux Servers 4.52

F-Secure Anti-Virus for Linux Gateways 4.52

F-Secure Anti-Virus for Samba Servers 4.60

F-Secure Anti-Virus for Windows Servers 5.41

F-Secure Anti-Virus for MIMEsweeper 5.41

F-Secure Anti-Virus for Workstations 5.41

F-Secure Anti-Virus for Windows Servers 5.42

F-Secure Anti-Virus for MIMEsweeper 5.42

F-Secure Anti-Virus for Workstations 5.42

F-Secure Anti-Virus Client Security 5.50

F-Secure F-Secure for Firewalls 6.20

F-Secure Anti-Virus for MS Exchange 6.21

F-Secure Internet Gatekeeper 6.32

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站