[Full-Disclosure] lftp buffer overflows

2003-12-15T00:00:00
ID SECURITYVULNS:DOC:5523
Type securityvulns
Reporter Securityvulns
Modified 2003-12-15T00:00:00

Description

lftp buffer overflows

PROGRAM: lftp VENDOR: Alexander V. Lukyanov et al. HOMEPAGE: http://lftp.yar.ru/ VULNERABLE VERSIONS: 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9, probably all versions inbetween IMMUNE VERSIONS: 2.6.10, older versions with my patch applied

  • PROGRAM DESCRIPTION *

"lftp is a sophisticated command line based FTP client. It has a multithreaded design allowing you to issue and execute multiple commands simultaneosly or in the background. It also features mirroring capabilities and will reconnect and continue transfers in the event of a disconnection. Also, if you quit the program while transfers are still in progress, it will switch to nohup mode and finish the transfers in the background. HTTP protocol and FTP over HTTP proxy are supported. Version 2.3.0 includes HTTPS and FTP over SSL support."

(direct quote from the program's project page at Freshmeat)

lftp is free software/open source software, published under the terms of the GNU General Public License.

It is one of the packages or ports in Red Hat Linux, SuSE Linux, Debian GNU/Linux, Slackware Linux, Mandrake Linux, Gentoo Linux, Conectiva Linux, OpenPKG, Yellow Dog Linux, Openwall GNU/*/Linux (Owl), ALT Linux, FreeBSD, NetBSD and OpenBSD, among others.

  • SUMMARY *

I have found two buffer overflow security problems in lftp. They both occur when you connect to a web server with lftp using HTTP or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared directories on the web server.

  • TECHNICAL DETAILS *

Technically, the problem lies in the file src/HttpDir.cc and the functions try_netscape_proxy() and try_squid_eplf(), which both have sscanf() calls that take data of an arbitrary length and store it in a char array with 32 elements. (Back in version 2.3.0, the problematic code was located in some other function, but the problem existed back then too.)

Depending on the HTML document in the specially prepared directory, buffers will be overflown in either one function or the other.

  • SESSION CAPTURE *

[metaur@hostname src]$ ./lftp -v Lftp | Version 2.6.9 | Copyright (c) 1996-2002 Alexander V. Lukyanov This is free software with ABSOLUTELY NO WARRANTY. See COPYING for details. Send bug reports and questions to <lftp@uniyar.ac.ru>. [metaur@hostname src]$ ./lftp lftp :~> open http://localhost/buffy/ lftp localhost:/buffy> ls Segmentation fault [metaur@hostname src]$ gdb lftp GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... (gdb) r Starting program: /none/of/your/business/lftp-2.6.9/src/lftp lftp :~> open http://localhost/buffy/ lftp localhost:/buffy> ls

Program received signal SIGSEGV, Segmentation fault. 0x0808e22c in FileSet::FindGEIndByName(char const*) const () (gdb) bt

0 0x0808e22c in FileSet::FindGEIndByName(char const*) const ()

1 0x0808e2b1 in FileSet::FindByName(char const*) const ()

2 0x080af550 in file_info::validate() ()

(gdb) i r eax 0x55555555 1431655765 ecx 0x80e3af8 135150328 edx 0xb7f1b422 -1208896478 ebx 0x55555555 1431655765 esp 0xbfffeaa0 0xbfffeaa0 ebp 0xbfffeab8 0xbfffeab8 esi 0xbffff5c0 -1073744448 edi 0x55555555 1431655765 eip 0x808e22c 0x808e22c eflags 0x210286 2163334 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) quit The program is running. Exit anyway? (y or n) y [metaur@hostname src]$

(Developing an exploit for this is left as an exercise to the malicious reader.)

  • SOLVING THE PROBLEM *

You solve this problem by upgrading to 2.6.10 or by applying my attached patch. 2.6.10 is currently only available from lftp's FTP site, not from its homepage.

  • ATTACHED FILES *

I have attached a .tar.gz archive with a patch for this problem (I have diffed against lftp 2.6.9) and an HTML document that exhibits this behaviour. You install the document as index.html in some directory on a web server, and then use lftp's "open" and "ls" commands.

In case your system administrator doesn't like .tar.gz attachments, I have also put it up for downloading at http://labben.abm.uu.se/~ulha9485/lftp-advisory-data.tar.gz

  • TIMELINE *

5 dec: Alexander and the vendor-sec list (vendor-sec@lst.de) were contacted 5 dec: Discussion on the vendor-sec list starts 8 dec: Alexander replies that my patch is committed to CVS 11 dec: Alexander releases lftp 2.6.10 12 dec: Slackware releases their security update and advisory 14 dec: I release this advisory

  • IRC KIDDIES *

K: "h3y u ph0und 4 buphph3r 0v3rphl0w (th3 0nly r34l s3cur1ty h0l3) 1n lftp!!!! n0w u c4n h4ng 0ut w1th us 1n #0d4yw4r3z 4nd u c4n 3v3n b0rr0w my l1nk1n p4rk cdzZz!!!!1!!11!!!1!!"

U: "Virgin."

// Ulf Härnhammar kses - PHP HTML/XHTML filter (no XSS) http://sourceforge.net/projects/kses