首頁 | 安全文章 | 安全工具 | Exploits | 本站原創 | 關于我們 | 網站地圖 | 安全論壇
  當前位置:主頁>安全文章>文章資料>漏洞資料>文章內容
lftp Try_Squid_Eplf遠程緩沖區溢出漏洞
來源:vittersafe.yeah.net 作者:vitter 發布時間:2003-12-29  

lftp Try_Squid_Eplf遠程緩沖區溢出漏洞

受影響系統:
Alexander V. Lukyanov lftp 2.6.9
Alexander V. Lukyanov lftp 2.6.8
Alexander V. Lukyanov lftp 2.6.7
Alexander V. Lukyanov lftp 2.6.6
Alexander V. Lukyanov lftp 2.6.5
Alexander V. Lukyanov lftp 2.6.4
Alexander V. Lukyanov lftp 2.6.3
Alexander V. Lukyanov lftp 2.6.0
Alexander V. Lukyanov lftp 2.5.2
Alexander V. Lukyanov lftp 2.3
Alexander V. Lukyanov lftp 2.4.9
- Mandrake Linux 8.2
- RedHat Linux 7.3
- RedHat Linux 7.2
不受影響系統:
Alexander V. Lukyanov lftp 2.6.10
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 9212
CVE(CAN) ID: CAN-2003-0963

lftp是一款支持多平臺,支持多模式(ftp、ftps、http、https、hftp等)的基于命令行FTP客戶端。

lftp在接收到從遠程HTTP服務器返回的內容時不正確處理部分目錄信息,遠程攻擊者可以利用這個漏洞進行緩沖區溢出攻擊,可能以lftp進程權限在系統上執行任意指令。

問題存在于src/HttpDir.cc文件中的try_squid_eplf()函數中,由于lftp在使用HTTP或者HTTPS進行WEB服務器連接,并使用lftp的"ls"或"rels"命令對特殊目錄進行瀏覽時,調用的sscanf()函數對數據輸入處理缺少充分的邊界緩沖區檢查,精心構建目錄數據,可導致觸發緩沖區溢出,精心構建提交數據可能以lftp進程權限在系統上執行任意指令。

<*來源:Ulf Harnhammar ([email protected]

鏈接:http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0070.html
https://www.redhat.com/support/errata/RHSA-2003-403.html
http://www.linux-mandrake.com/en/security/2003/2003-116.php
*>

測試方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能帶有攻擊性,僅供安全研究與教學之用。使用者風險自負!

作者的演示會話如下:

[metaurhostname src]$ ./lftp -v
Lftp | Version 2.6.9 | Copyright (c) 1996-2002 Alexander V. Lukyanov
This is free software with ABSOLUTELY NO WARRANTY. See COPYING for details.
Send bug reports and questions to <lftpuniyar.ac.ru>.
[metaurhostname src]$ ./lftp
lftp :~> open http://localhost/buffy/
lftp localhost:/buffy> ls
Segmentation fault
[metaurhostname src]$ gdb lftp
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) r
Starting program: /none/of/your/business/lftp-2.6.9/src/lftp
lftp :~> open http://localhost/buffy/
lftp localhost:/buffy> ls


Program received signal SIGSEGV, Segmentation fault.
0x0808e22c in FileSet::FindGEIndByName(char const*) const ()
(gdb) bt
#0 0x0808e22c in FileSet::FindGEIndByName(char const*) const ()
#1 0x0808e2b1 in FileSet::FindByName(char const*) const ()
#2 0x080af550 in file_info::validate() ()
(gdb) i r
eax 0x55555555 1431655765
ecx 0x80e3af8 135150328
edx 0xb7f1b422 -1208896478
ebx 0x55555555 1431655765
esp 0xbfffeaa0 0xbfffeaa0
ebp 0xbfffeab8 0xbfffeab8
esi 0xbffff5c0 -1073744448
edi 0x55555555 1431655765
eip 0x808e22c 0x808e22c
eflags 0x210286 2163334
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x33 51
(gdb) quit
The program is running. Exit anyway? (y or n) y
[metaurhostname src]$

建議:
--------------------------------------------------------------------------------
廠商補。

MandrakeSoft
------------
MandrakeSoft已經為此發布了一個安全公告(MDKSA-2003:116)以及相應補丁:
MDKSA-2003:116:Updated lftp packages fix buffer overflow vulnerability
鏈接:http://www.linux-mandrake.com/en/security/2003/2003-116.php

補丁下載:

Updated Packages:

Corporate Server 2.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm

Mandrake Linux 9.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/lftp-2.6.0-1.1.90mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/lftp-2.6.0-1.1.90mdk.src.rpm

Mandrake Linux 9.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/lftp-2.6.4-2.1.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/lftp-2.6.4-2.1.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm

Mandrake Linux 9.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/lftp-2.6.6-2.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm

Mandrake Linux 9.2/AMD64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/lftp-2.6.6-2.1.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php


上述升級軟件還可以在下列地址中的任意一個鏡像ftp服務器上下載:
http://www.mandrakesecure.net/en/ftp.php

RedHat
------
RedHat已經為此發布了一個安全公告(RHSA-2003:403-01)以及相應補丁:
RHSA-2003:403-01:Updated lftp packages fix security vulnerability
鏈接:https://www.redhat.com/support/errata/RHSA-2003-403.html

補丁下載:

Alexander V. Lukyanov lftp 2.4.9:

RedHat Patch lftp-2.4.9-2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/lftp-2.4.9-2.i386.rpm

RedHat Patch lftp-2.4.9-2.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/lftp-2.4.9-2.ia64.rpm

RedHat Patch lftp-2.4.9-2.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/lftp-2.4.9-2.i386.rpm

Alexander V. Lukyanov lftp 2.5.2:

RedHat Patch lftp-2.5.2-6.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/lftp-2.5.2-6.i386.rpm

Alexander V. Lukyanov lftp 2.6.3:

RedHat Patch lftp-2.6.3-4.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/lftp-2.6.3-4.i386.rpm

Alexander V. Lukyanov lftp 2.6.5:

Fedora Upgrade lftp-2.6.10-1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/lftp-2.6.10-1.i386.rpm

Fedora Upgrade lftp-debuginfo-2.6.10-1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm

Alexander V. Lukyanov
---------------------
lftp 2.6.10已經修正此漏洞:

http://lftp.yar.ru/get.html

另外2.6.9版本的補丁也可以從如下地址獲得:

http://labben.abm.uu.se/~ulha9485/lftp-advisory-data.tar.gz




 
[推薦] [評論(0條)] [返回頂部] [打印本頁] [關閉窗口]  
匿名評論
評論內容:(不能超過250字,需審核后才會公布,請自覺遵守互聯網相關政策法規。
 §最新評論:
  熱點文章
·XSOK環境變量本地命令執行漏洞
·N點虛擬主機管理系統 致命漏洞。
·南方數據企業網站管理系統V10.0
·動網(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解決
·破解無線路由器密碼,常見無線密
·Nginx %00空字節執行php漏洞
·XPCD xpcd-svga本地緩沖區溢出漏
·Struts2多個漏洞簡要分析
·ecshop2.72 api.php 文件雞肋注
·Discuz!后臺拿Webshell 0day
·WinWebMail、7I24提權漏洞
  相關文章
·lftp Try_Netscape_Proxy遠程緩
·PlatinumFTPServer命令行參數格
·Microsoft Internet Explorer文
·Cisco安全公告:Cisco防火墻新增
·IBM安全公告:修正IBM-based Ser
·Cisco安全公告:修正Cisco Acces
·Knowledge Builder存在遠程代碼
·Microsoft IIS服務跟蹤日志繞過
·Sun安全公告:Sun ONE Applicati
·億恩免費留言薄MSSQL版存在修改
·XSOK環境變量本地命令執行漏洞
·My Little Forum存在跨站腳本執
  推薦廣告
CopyRight © 2002-2020 VFocuS.Net All Rights Reserved
35选7杀号技巧 上海十一选五是国家彩票吗 江苏快3福利彩票 陕西快乐十分奖金 江苏十一选五开奖结果走势图爱彩乐 成都股票配资公司 福彩东方6 1最新开奖 股票分析方法 重庆快乐十分走势图漫威是谁创立的 手机彩票计划软件 002556股票分析