|
Brought to you by:
Suppliers of:
|
|
|
| |
lftp is "a sophisticated command line based FTP client. It has a multithreaded design allowing you to issue and execute multiple commands simultaneously or in the background. It also features mirroring capabilities and will reconnect and continue transfers in the event of a disconnection. In addition, if you quit the program while transfers are still in progress, it will switch to NOHUP mode and finish the transfers in the background. With HTTP, HTTPS and FTP over SSL support".
The product has been found to contain two-buffer overflow. Both of them occur when you connect to a web server with LFTP using HTTP or HTTPS, and then use LFTP's "ls" or "rels" commands on specially prepared directories on the web server. |
| |
Credit:
The information has been provided by Ulf H?rnhammar.
|
| |
Vulnerable systems:
* LFTP versions 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9
Immune systems:
* LFTP version 2.6.10
The problem lies in the file src/HttpDir.cc and the functions try_netscape_proxy() and try_squid_eplf(), which both have sscanf() calls that take data of an arbitrary length and store it in a char array with 32 elements (Back in version 2.3.0, the problematic code was located in some other function, but the problem existed back then too).
Depending on the HTML document in the specially prepared directory, buffers will be overflow in either one function or the other.
Solution:
You can solve this problem by upgrading to 2.6.10.
Recreation:
You can recreate the issue by storing the following HTML file on a web server, and then redirecting lftp to it:
<a href="/">buffy</a> Fri May 30 10:09:06 2001 5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUU
|
|
|
|
|
