lftp Try_Squid_Eplf远程缓冲区溢出漏洞

		当前位置：主页>安全文章>文章资料>漏洞资料>文章内容

lftp Try_Squid_Eplf远程缓冲区溢出漏洞

来源：vittersafe.yeah.net 作者：vitter 发布时间：2003-12-29

lftp Try_Squid_Eplf远程缓冲区溢出漏洞

受影响系统：
Alexander V. Lukyanov lftp 2.6.9
Alexander V. Lukyanov lftp 2.6.8
Alexander V. Lukyanov lftp 2.6.7
Alexander V. Lukyanov lftp 2.6.6
Alexander V. Lukyanov lftp 2.6.5
Alexander V. Lukyanov lftp 2.6.4
Alexander V. Lukyanov lftp 2.6.3
Alexander V. Lukyanov lftp 2.6.0
Alexander V. Lukyanov lftp 2.5.2
Alexander V. Lukyanov lftp 2.3
Alexander V. Lukyanov lftp 2.4.9
- Mandrake Linux 8.2
- RedHat Linux 7.3
- RedHat Linux 7.2
不受影响系统：
Alexander V. Lukyanov lftp 2.6.10
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 9212
CVE(CAN) ID: CAN-2003-0963

lftp是一款支持多平台，支持多模式(ftp、ftps、http、https、hftp等)的基于命令行FTP客户端。

lftp在接收到从远程HTTP服务器返回的内容时不正确处理部分目录信息，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以lftp进程权限在系统上执行任意指令。

问题存在于src/HttpDir.cc文件中的try_squid_eplf()函数中，由于lftp在使用HTTP或者HTTPS进行WEB服务器连接，并使用lftp的"ls"或"rels"命令对特殊目录进行浏览时，调用的sscanf()函数对数据输入处理缺少充分的边界缓冲区检查，精心构建目录数据，可导致触发缓冲区溢出，精心构建提交数据可能以lftp进程权限在系统上执行任意指令。

<*来源：Ulf Harnhammar （ulfh@update.uu.se）

链接：http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0070.html
https://www.redhat.com/support/errata/RHSA-2003-403.html
http://www.linux-mandrake.com/en/security/2003/2003-116.php
*>

测试方法：
--------------------------------------------------------------------------------

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

作者的演示会话如下：

[metaurhostname src]$ ./lftp -v
Lftp | Version 2.6.9 | Copyright (c) 1996-2002 Alexander V. Lukyanov
This is free software with ABSOLUTELY NO WARRANTY. See COPYING for details.
Send bug reports and questions to <lftpuniyar.ac.ru>.
[metaurhostname src]$ ./lftp
lftp :~> open http://localhost/buffy/
lftp localhost:/buffy> ls
Segmentation fault
[metaurhostname src]$ gdb lftp
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) r
Starting program: /none/of/your/business/lftp-2.6.9/src/lftp
lftp :~> open http://localhost/buffy/
lftp localhost:/buffy> ls

Program received signal SIGSEGV, Segmentation fault.
0x0808e22c in FileSet::FindGEIndByName(char const*) const ()
(gdb) bt
#0 0x0808e22c in FileSet::FindGEIndByName(char const*) const ()
#1 0x0808e2b1 in FileSet::FindByName(char const*) const ()
#2 0x080af550 in file_info::validate() ()
(gdb) i r
eax 0x55555555 1431655765
ecx 0x80e3af8 135150328
edx 0xb7f1b422 -1208896478
ebx 0x55555555 1431655765
esp 0xbfffeaa0 0xbfffeaa0
ebp 0xbfffeab8 0xbfffeab8
esi 0xbffff5c0 -1073744448
edi 0x55555555 1431655765
eip 0x808e22c 0x808e22c
eflags 0x210286 2163334
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x33 51
(gdb) quit
The program is running. Exit anyway? (y or n) y
[metaurhostname src]$

建议：
--------------------------------------------------------------------------------
厂商补丁：

MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告（MDKSA-2003:116）以及相应补丁:
MDKSA-2003:116：Updated lftp packages fix buffer overflow vulnerability
链接：http://www.linux-mandrake.com/en/security/2003/2003-116.php

补丁下载：

Updated Packages:

Corporate Server 2.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm

Mandrake Linux 9.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/lftp-2.6.0-1.1.90mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/lftp-2.6.0-1.1.90mdk.src.rpm

Mandrake Linux 9.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/lftp-2.6.4-2.1.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/lftp-2.6.4-2.1.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm

Mandrake Linux 9.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/lftp-2.6.6-2.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm

Mandrake Linux 9.2/AMD64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/lftp-2.6.6-2.1.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载：
http://www.mandrakesecure.net/en/ftp.php

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2003:403-01）以及相应补丁:
RHSA-2003:403-01：Updated lftp packages fix security vulnerability
链接：https://www.redhat.com/support/errata/RHSA-2003-403.html

补丁下载：

Alexander V. Lukyanov lftp 2.4.9:

RedHat Patch lftp-2.4.9-2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/lftp-2.4.9-2.i386.rpm

RedHat Patch lftp-2.4.9-2.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/lftp-2.4.9-2.ia64.rpm

RedHat Patch lftp-2.4.9-2.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/lftp-2.4.9-2.i386.rpm

Alexander V. Lukyanov lftp 2.5.2:

RedHat Patch lftp-2.5.2-6.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/lftp-2.5.2-6.i386.rpm

Alexander V. Lukyanov lftp 2.6.3:

RedHat Patch lftp-2.6.3-4.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/lftp-2.6.3-4.i386.rpm

Alexander V. Lukyanov lftp 2.6.5:

Fedora Upgrade lftp-2.6.10-1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/lftp-2.6.10-1.i386.rpm

Fedora Upgrade lftp-debuginfo-2.6.10-1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm

Alexander V. Lukyanov
---------------------
lftp 2.6.10已经修正此漏洞：

http://lftp.yar.ru/get.html

另外2.6.9版本的补丁也可以从如下地址获得：

http://labben.abm.uu.se/~ulha9485/lftp-advisory-data.tar.gz

[