Vulnerabilities > CVE-2004-0771 - extract_one Buffer Overflow vulnerability in Tsugio Okamoto LHA 1.14/1.15/1.17

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
tsugio-okamoto
critical
nessus
exploit available

Summary

Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries.

Vulnerable Configurations

Part Description Count
Application
Tsugio_Okamoto
3

Exploit-Db

descriptionLHA 1.x Multiple extract_one Buffer Overflow Vulnerabilities. CVE-2004-0771. Remote exploit for linux platform
idEDB-ID:24120
last seen2016-02-02
modified2004-05-19
published2004-05-19
reporterLukasz Wojtow
sourcehttps://www.exploit-db.com/download/24120/
titleLHA 1.x - Multiple extract_one Buffer Overflow Vulnerabilities

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_LHA_114_6.NASL
    descriptionThe following package needs to be updated: lha
    last seen2016-09-26
    modified2011-10-03
    plugin id14813
    published2004-09-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=14813
    titleFreeBSD : lha -- numerous vulnerabilities when extracting archives (91)
    code
    #%NASL_MIN_LEVEL 999999
    
    # @DEPRECATED@
    #
    # This script has been deprecated by freebsd_pkg_273cc1a30d6b11d98a8a000c41e2cdad.nasl.
    #
    # Disabled on 2011/10/02.
    #
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # This script contains information extracted from VuXML :
    #
    # Copyright 2003-2006 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #   copyright notice, this list of conditions and the following
    #   disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #   published online in any format, converted to PDF, PostScript,
    #   RTF and other formats) must reproduce the above copyright
    #   notice, this list of conditions and the following disclaimer
    #   in the documentation and/or other materials provided with the
    #   distribution.
    #
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    #
    #
    
    include('compat.inc');
    
    if ( description )
    {
     script_id(14813);
     script_version("1.11");
     script_bugtraq_id(10354);
     script_cve_id("CVE-2004-0771");
     script_cve_id("CVE-2004-0769");
     script_cve_id("CVE-2004-0745");
     script_cve_id("CVE-2004-0694");
    
     script_name(english:"FreeBSD : lha -- numerous vulnerabilities when extracting archives (91)");
    
    script_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');
    script_set_attribute(attribute:'description', value:'The following package needs to be updated: lha');
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    script_set_attribute(attribute:'solution', value: 'Update the package on the remote host');
    script_set_attribute(attribute: 'see_also', value: 'http://bugs.gentoo.org/show_bug.cgi?id=51285
    http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=482
    http://samba.org/rsync/#security_aug04
    http://secunia.com/advisories/12024
    http://www.ethereal.com/appnotes/enpa-sa-00015.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-37.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-38.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-39.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-40.html
    http://xforce.iss.net/xforce/xfdb/16196');
    script_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/273cc1a3-0d6b-11d9-8a8a-000c41e2cdad.html');
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/24");
     script_cvs_date("Date: 2018/07/20  0:18:52");
     script_end_attributes();
     script_summary(english:"Check for lha");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
     family["english"] = "FreeBSD Local Security Checks";
     script_family(english:family["english"]);
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/FreeBSD/pkg_info");
     exit(0);
    }
    
    # Deprecated.
    exit(0, "This plugin has been deprecated. Refer to plugin #37618 (freebsd_pkg_273cc1a30d6b11d98a8a000c41e2cdad.nasl) instead.");
    
    global_var cvss_score;
    cvss_score=10;
    include('freebsd_package.inc');
    
    
    pkg_test(pkg:"lha<1.14i_6");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_273CC1A30D6B11D98A8A000C41E2CDAD.NASL
    descriptionSource code reviews of lha by Lukasz Wojtow, Thomas Biege, and others uncovered a number of vulnerabilities affecting lha : - Buffer overflows when handling archives and filenames. (CVE-2004-0694) - Possible command execution via shell meta-characters when built with NOMKDIR. (CVE-2004-0745) - Buffer overflow resulting in arbitrary code execution when handling long pathnames in LHZ archives. (CVE-2004-0769) - Buffer overflow in the extract_one. (CVE-2004-0771)
    last seen2020-06-01
    modified2020-06-02
    plugin id37618
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37618
    titleFreeBSD : lha -- numerous vulnerabilities when extracting archives (273cc1a3-0d6b-11d9-8a8a-000c41e2cdad)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(37618);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:36");
    
      script_cve_id("CVE-2004-0694", "CVE-2004-0745", "CVE-2004-0769", "CVE-2004-0771");
      script_bugtraq_id(10354);
    
      script_name(english:"FreeBSD : lha -- numerous vulnerabilities when extracting archives (273cc1a3-0d6b-11d9-8a8a-000c41e2cdad)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Source code reviews of lha by Lukasz Wojtow, Thomas Biege, and others
    uncovered a number of vulnerabilities affecting lha :
    
    - Buffer overflows when handling archives and filenames.
    (CVE-2004-0694)
    
    - Possible command execution via shell meta-characters when built with
    NOMKDIR. (CVE-2004-0745)
    
    - Buffer overflow resulting in arbitrary code execution when handling
    long pathnames in LHZ archives. (CVE-2004-0769)
    
    - Buffer overflow in the extract_one. (CVE-2004-0771)"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=108464470103227
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=108464470103227"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=108668791510153"
      );
      # http://bugs.gentoo.org/show_bug.cgi?id=51285
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.gentoo.org/show_bug.cgi?id=51285"
      );
      # http://xforce.iss.net/xforce/xfdb/16196
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5675a199"
      );
      # https://vuxml.freebsd.org/freebsd/273cc1a3-0d6b-11d9-8a8a-000c41e2cdad.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7bf1a98a"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:lha");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/05/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/09/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"lha<1.14i_6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-323.NASL
    descriptionAn updated lha package that fixes a buffer overflow is now available. LHA is an archiving and compression utility for LHarc format archives. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0771 and CVE-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0745 to this issue. Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id14625
    published2004-09-01
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/14625
    titleRHEL 3 : lha (RHSA-2004:323)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-440.NASL
    descriptionAn updated lha package that fixes a buffer overflow is now available. LHA is an archiving and compression utility for LHarc format archives. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user can trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0771 and CVE-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0745 to this issue. Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id14697
    published2004-09-09
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/14697
    titleRHEL 2.1 : lha (RHSA-2004:440)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-295.NASL
    descriptionLukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user can trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0771 and CVE-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0745 to this issue. Users of lha should update to this updated package Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id14693
    published2004-09-09
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14693
    titleFedora Core 2 : lha-1.14i-14.1 (2004-295)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-294.NASL
    descriptionLukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user can trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0771 and CVE-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0745 to this issue. Users of lha should update to this updated package Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id14692
    published2004-09-09
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14692
    titleFedora Core 1 : lha-1.14i-12.2 (2004-294)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200409-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200409-13 (LHa: Multiple vulnerabilities) The command line argument as well as the archive parsing code of LHa lack sufficient bounds checking. Furthermore, a shell meta character command execution vulnerability exists in LHa, since it does no proper filtering on directory names. Impact : Using a specially crafted command line argument or archive, an attacker can cause a buffer overflow and could possibly run arbitrary code. The shell meta character command execution could lead to the execution of arbitrary commands by an attacker using directories containing shell meta characters in their names. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id14694
    published2004-09-09
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14694
    titleGLSA-200409-13 : LHa: Multiple vulnerabilities

Oval

accepted2013-04-29T04:20:31.659-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionBuffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries.
familyunix
idoval:org.mitre.oval:def:9595
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleBuffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries.
version26

Redhat

advisories
  • rhsa
    idRHSA-2004:323
  • rhsa
    idRHSA-2004:440
rpms
  • lha-0:1.14i-10.4
  • lha-debuginfo-0:1.14i-10.4