Vulnerabilities > CVE-2004-0771 - extract_one Buffer Overflow vulnerability in Tsugio Okamoto LHA 1.14/1.15/1.17
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Exploit-Db
description | LHA 1.x Multiple extract_one Buffer Overflow Vulnerabilities. CVE-2004-0771. Remote exploit for linux platform |
id | EDB-ID:24120 |
last seen | 2016-02-02 |
modified | 2004-05-19 |
published | 2004-05-19 |
reporter | Lukasz Wojtow |
source | https://www.exploit-db.com/download/24120/ |
title | LHA 1.x - Multiple extract_one Buffer Overflow Vulnerabilities |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_LHA_114_6.NASL description The following package needs to be updated: lha last seen 2016-09-26 modified 2011-10-03 plugin id 14813 published 2004-09-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=14813 title FreeBSD : lha -- numerous vulnerabilities when extracting archives (91) code #%NASL_MIN_LEVEL 999999 # @DEPRECATED@ # # This script has been deprecated by freebsd_pkg_273cc1a30d6b11d98a8a000c41e2cdad.nasl. # # Disabled on 2011/10/02. # # # (C) Tenable Network Security, Inc. # # This script contains information extracted from VuXML : # # Copyright 2003-2006 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # include('compat.inc'); if ( description ) { script_id(14813); script_version("1.11"); script_bugtraq_id(10354); script_cve_id("CVE-2004-0771"); script_cve_id("CVE-2004-0769"); script_cve_id("CVE-2004-0745"); script_cve_id("CVE-2004-0694"); script_name(english:"FreeBSD : lha -- numerous vulnerabilities when extracting archives (91)"); script_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update'); script_set_attribute(attribute:'description', value:'The following package needs to be updated: lha'); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:'solution', value: 'Update the package on the remote host'); script_set_attribute(attribute: 'see_also', value: 'http://bugs.gentoo.org/show_bug.cgi?id=51285 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=482 http://samba.org/rsync/#security_aug04 http://secunia.com/advisories/12024 http://www.ethereal.com/appnotes/enpa-sa-00015.html http://www.mozilla.org/security/announce/2008/mfsa2008-37.html http://www.mozilla.org/security/announce/2008/mfsa2008-38.html http://www.mozilla.org/security/announce/2008/mfsa2008-39.html http://www.mozilla.org/security/announce/2008/mfsa2008-40.html http://xforce.iss.net/xforce/xfdb/16196'); script_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/273cc1a3-0d6b-11d9-8a8a-000c41e2cdad.html'); script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/24"); script_cvs_date("Date: 2018/07/20 0:18:52"); script_end_attributes(); script_summary(english:"Check for lha"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); family["english"] = "FreeBSD Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/FreeBSD/pkg_info"); exit(0); } # Deprecated. exit(0, "This plugin has been deprecated. Refer to plugin #37618 (freebsd_pkg_273cc1a30d6b11d98a8a000c41e2cdad.nasl) instead."); global_var cvss_score; cvss_score=10; include('freebsd_package.inc'); pkg_test(pkg:"lha<1.14i_6");
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_273CC1A30D6B11D98A8A000C41E2CDAD.NASL description Source code reviews of lha by Lukasz Wojtow, Thomas Biege, and others uncovered a number of vulnerabilities affecting lha : - Buffer overflows when handling archives and filenames. (CVE-2004-0694) - Possible command execution via shell meta-characters when built with NOMKDIR. (CVE-2004-0745) - Buffer overflow resulting in arbitrary code execution when handling long pathnames in LHZ archives. (CVE-2004-0769) - Buffer overflow in the extract_one. (CVE-2004-0771) last seen 2020-06-01 modified 2020-06-02 plugin id 37618 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37618 title FreeBSD : lha -- numerous vulnerabilities when extracting archives (273cc1a3-0d6b-11d9-8a8a-000c41e2cdad) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(37618); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:36"); script_cve_id("CVE-2004-0694", "CVE-2004-0745", "CVE-2004-0769", "CVE-2004-0771"); script_bugtraq_id(10354); script_name(english:"FreeBSD : lha -- numerous vulnerabilities when extracting archives (273cc1a3-0d6b-11d9-8a8a-000c41e2cdad)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Source code reviews of lha by Lukasz Wojtow, Thomas Biege, and others uncovered a number of vulnerabilities affecting lha : - Buffer overflows when handling archives and filenames. (CVE-2004-0694) - Possible command execution via shell meta-characters when built with NOMKDIR. (CVE-2004-0745) - Buffer overflow resulting in arbitrary code execution when handling long pathnames in LHZ archives. (CVE-2004-0769) - Buffer overflow in the extract_one. (CVE-2004-0771)" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=108464470103227 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=108464470103227" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=108668791510153" ); # http://bugs.gentoo.org/show_bug.cgi?id=51285 script_set_attribute( attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=51285" ); # http://xforce.iss.net/xforce/xfdb/16196 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5675a199" ); # https://vuxml.freebsd.org/freebsd/273cc1a3-0d6b-11d9-8a8a-000c41e2cdad.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7bf1a98a" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:lha"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/05/17"); script_set_attribute(attribute:"patch_publication_date", value:"2004/09/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"lha<1.14i_6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-323.NASL description An updated lha package that fixes a buffer overflow is now available. LHA is an archiving and compression utility for LHarc format archives. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0771 and CVE-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0745 to this issue. Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14625 published 2004-09-01 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14625 title RHEL 3 : lha (RHSA-2004:323) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-440.NASL description An updated lha package that fixes a buffer overflow is now available. LHA is an archiving and compression utility for LHarc format archives. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user can trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0771 and CVE-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0745 to this issue. Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14697 published 2004-09-09 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14697 title RHEL 2.1 : lha (RHSA-2004:440) NASL family Fedora Local Security Checks NASL id FEDORA_2004-295.NASL description Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user can trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0771 and CVE-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0745 to this issue. Users of lha should update to this updated package Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14693 published 2004-09-09 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14693 title Fedora Core 2 : lha-1.14i-14.1 (2004-295) NASL family Fedora Local Security Checks NASL id FEDORA_2004-294.NASL description Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user can trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0771 and CVE-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0745 to this issue. Users of lha should update to this updated package Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14692 published 2004-09-09 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14692 title Fedora Core 1 : lha-1.14i-12.2 (2004-294) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200409-13.NASL description The remote host is affected by the vulnerability described in GLSA-200409-13 (LHa: Multiple vulnerabilities) The command line argument as well as the archive parsing code of LHa lack sufficient bounds checking. Furthermore, a shell meta character command execution vulnerability exists in LHa, since it does no proper filtering on directory names. Impact : Using a specially crafted command line argument or archive, an attacker can cause a buffer overflow and could possibly run arbitrary code. The shell meta character command execution could lead to the execution of arbitrary commands by an attacker using directories containing shell meta characters in their names. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 14694 published 2004-09-09 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14694 title GLSA-200409-13 : LHa: Multiple vulnerabilities
Oval
accepted | 2013-04-29T04:20:31.659-04:00 | ||||||||
class | vulnerability | ||||||||
contributors |
| ||||||||
definition_extensions |
| ||||||||
description | Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. | ||||||||
family | unix | ||||||||
id | oval:org.mitre.oval:def:9595 | ||||||||
status | accepted | ||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||
title | Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. | ||||||||
version | 26 |
Redhat
advisories |
| ||||||||
rpms |
|
References
- http://bugs.gentoo.org/show_bug.cgi?id=51285
- http://marc.info/?l=bugtraq&m=108668791510153
- http://www.gentoo.org/security/en/glsa/glsa-200409-13.xml
- http://www.redhat.com/support/errata/RHSA-2004-323.html
- http://www.redhat.com/support/errata/RHSA-2004-440.html
- http://www.securityfocus.com/archive/1/363418
- http://www.securityfocus.com/bid/10354
- https://bugzilla.fedora.us/show_bug.cgi?id=1833
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16196
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9595