SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   LFTP Vendors:   Lukyanov, Alexander
(Conectiva Issues Fix) LFTP Buffer Overflow in Processing HTTP Responses May Allow Remote Code Execution
SecurityTracker Alert ID:  1008620
SecurityTracker URL:  http://securitytracker.com/id/1008620
CVE Reference:   CVE-2003-0963   (Links to External Site)
Date:  Jan 6 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.6.10
Description:   A buffer overflow vulnerability was reported in LFTP. A remote server may be able to cause arbitrary code to be executed on a connected client.

It is reported that LFTP contains buffer overflows that can be triggered by a remote user. The flaws reside in the try_netscape_proxy() and try_squid_eplf() functions in 'HttpDir.cc'. A remote user operating a web server can reportedly create a specially crafted directory so that when a target user connects to the web server (secure or non-secure) with the LFTP client and issues the "ls" or "rels" command, arbitrary code will be executed on the target user's system.

Ulf Harnhammar is credited with discovering the bugs.

Impact:   A remote server can cause arbitrary code to be executed on the target user's LFTP client when the client connects to the server and issues an "ls" or "rels" command.
Solution:   Conectiva has released a fix.

ftp://atualizacoes.conectiva.com.br/8/SRPMS/lftp-2.6.9-1U80_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/lftp-2.6.9-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/lftp-2.6.9-23261U90_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/lftp-2.6.9-23261U90_2cl.i386.rpm

Vendor URL:  lftp.yar.ru/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Conectiva)
Underlying OS Comments:  8, 9

Message History:   This archive entry is a follow-up to the message listed below.
Dec 14 2003 LFTP Buffer Overflow in Processing HTTP Responses May Allow Remote Code Execution



 Source Message Contents

Subject:  [conectiva-updates] [CLA-2004:800] Conectiva Security Announcement - lftp


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : lftp
SUMMARY   : Buffer overflow vulnerability
DATE      : 2004-01-06 09:46:00
ID        : CLA-2004:800
RELEVANT
RELEASES  : 8, 9

- -------------------------------------------------------------------------

DESCRIPTION
 lftp[1] is a command-line file transfer program which supports many
 protocols.
 
 the lftp program. An attacker could prepare a directory on a server
 which, if accessed with a vulnerable lftp with the "ls" or "rels"
 command, could cause arbitrary code to be executed on the client.


SOLUTION
 It is recommended that all lftp users upgrade their packages.
 
 
 REFERENCES
 1. http://lftp.yar.ru/
 2. http://marc.theaimsgroup.com/?l=bugtraq&m=107152267121513&w=2
 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0963


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/SRPMS/lftp-2.6.9-1U80_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/lftp-2.6.9-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/lftp-2.6.9-23261U90_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/lftp-2.6.9-23261U90_2cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/+rrm42jd0JmAcZARAjo4AJ4tE6wXFAud/+t0u2Z0qRDM/BbKtACg71XA
eFJwzvhfIPTLCCXkW38PeHg=
=NJSd
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC