SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   LFTP Vendors:   Lukyanov, Alexander
(Immunix Issues Fix) LFTP Buffer Overflow in Processing HTTP Responses May Allow Remote Code Execution
SecurityTracker Alert ID:  1008464
SecurityTracker URL:  http://securitytracker.com/id/1008464
CVE Reference:   CVE-2003-0963   (Links to External Site)
Updated:  Dec 16 2003
Original Entry Date:  Dec 14 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.6.10
Description:   A buffer overflow vulnerability was reported in LFTP. A remote server may be able to cause arbitrary code to be executed on a connected client.

It is reported that LFTP contains buffer overflows that can be triggered by a remote user. The flaws reside in the try_netscape_proxy() and try_squid_eplf() functions in 'HttpDir.cc'. A remote user operating a web server can reportedly create a specially crafted directory so that when a target user connects to the web server (secure or non-secure) with the LFTP client and issues the "ls" or "rels" command, arbitrary code will be executed on the target user's system.

Ulf Harnhammar is credited with discovering the bugs.

Impact:   A remote server can cause arbitrary code to be executed on the target user's LFTP client when the client connects to the server and issues an "ls" or "rels" command.
Solution:   Immunix has released a fix.

Precompiled binary packages for Immunix 7.3 are available at:
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/lftp-2.4.9-1_imnx_3.i386.rpm

Source packages for Immunix 7.3 are available at:
http://download.immunix.org/ImmunixOS/7.3/Updates/SRPMS/lftp-2.4.9-1_imnx_3.src.rpm

Immunix OS 7.3 md5sums:
01863149ee0914c2ff3ea21fb66b7eac RPMS/lftp-2.4.9-1_imnx_3.i386.rpm
ea33a569204f4413065eaa2f5ae2eadc SRPMS/lftp-2.4.9-1_imnx_3.src.rpm

Vendor URL:  lftp.yar.ru/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Immunix)
Underlying OS Comments:  7.3

Message History:   This archive entry is a follow-up to the message listed below.
Dec 14 2003 LFTP Buffer Overflow in Processing HTTP Responses May Allow Remote Code Execution



 Source Message Contents

Subject:  [Immunix-announce] Immunix Secured OS 7.3 lftp update



--===============1335590288==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="Qf1oXS95uex85X0R"
Content-Disposition: inline


--Qf1oXS95uex85X0R
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[Outlook and Notes users: Please ask your system administrator to assist
you in creating Out of Office Autoreplies that respect Precedence: Bulk
headers.]

[Virus Scanner administrators: GPG signatures are not executable
content. Also, as From: and From_ headers are frequently forged, please
configure your applications to NOT report failures to these addresses;
instead, please use SMTP error codes to reject connections.]

[TMDA users: please configure your anti-spam mechanisms to whitelist
public mail lists you have subscribed to.]

-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	lftp
Affected products:	Immunix OS 7.3
Bugs fixed:		CAN-2003-0963
Date:			Tue Dec  9 2003
Advisory ID:		IMNX-2003-73-002-01
Author:			Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------

Description:
  Ulf H=E4rnhammar has discovered remotely triggerable buffer overflows
  in lftp; this update fixes both of these problems. The Common
  Vulnerabilities and Exposures project (cve.mitre.org) has assigned
  the name CAN-2003-0963 to this issue.

  StackGuard should not be relied on to mitigate this vulnerability.

  Immunix 7.3 users may use our up2date service to install fixed=20
  packages: you may run either "up2date" within X, and follow the
  directions, or run "up2date -u" to ensure your system is current.

Package names and locations:
  Precompiled binary packages for Immunix 7.3 are available at:
  http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/lftp-2.4.9-1_imnx_=
3.i386.rpm

  Source packages for Immunix 7.3 are available at:
  http://download.immunix.org/ImmunixOS/7.3/Updates/SRPMS/lftp-2.4.9-1_imnx=
_3.src.rpm

Immunix OS 7.3 md5sums:
  01863149ee0914c2ff3ea21fb66b7eac  RPMS/lftp-2.4.9-1_imnx_3.i386.rpm
  ea33a569204f4413065eaa2f5ae2eadc  SRPMS/lftp-2.4.9-1_imnx_3.src.rpm

GPG verification:                                                          =
    =20
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 7+ will not be officially supported after March 1 2004.
  ImmunixOS 7.0 is no longer officially supported.
  ImmunixOS 6.2 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@immunix.com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

--Qf1oXS95uex85X0R
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/241rn5I6Lxt0VtoRAsC2AKDExvJeGA7WGQ0FAlw9PHb3Q7iN+QCfaPQ2
P59x07IOYP2WTMF3ZAdeSyQ=
=VYJG
-----END PGP SIGNATURE-----

--Qf1oXS95uex85X0R--

--===============1335590288==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce

--===============1335590288==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC