Executive Summary

Summary
Title Lhaca buffer overflow vulnerability
Informations
Name VU#871497 First vendor Publication 2007-07-06
Vendor VU-CERT Last vendor Modification 2007-07-17
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#871497

Lhaca buffer overflow vulnerability

Overview

The Lhaca archiving program contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code.

I. Description

LHA is an archive file format. LHA is used by the Lhaca compression utility.

A stack buffer overflow vulnerability exists in the Lhaca program. This vulnerability occurs due to insuffiecient bounds checking. Note that there are reports that this vulnerability is being publicly exploited.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code, or create a denial-of-service condition.

III. Solution

Upgrade

The vendor has released Lhaca version 1.23 to address this issue. Users are encouraged to upgrade as soon as possible.

Systems Affected

VendorStatusDate Updated
3com, Inc.Unknown5-Jul-2007
Aladdin Knowledge SystemsUnknown5-Jul-2007
Apple Computer, Inc.Unknown5-Jul-2007
BroNot Vulnerable13-Jul-2007
Check Point Software TechnologiesUnknown5-Jul-2007
Cisco Systems, Inc.Unknown5-Jul-2007
Command Software SystemsUnknown5-Jul-2007
Computer AssociatesUnknown5-Jul-2007
Computer Associates eTrust Security ManagementUnknown5-Jul-2007
Conectiva Inc.Unknown5-Jul-2007
Cray Inc.Unknown5-Jul-2007
CyberSoft, Inc.Unknown5-Jul-2007
DataFellowsUnknown5-Jul-2007
Debian GNU/LinuxUnknown5-Jul-2007
EMC CorporationUnknown5-Jul-2007
Engarde Secure LinuxUnknown5-Jul-2007
Enterasys NetworksUnknown5-Jul-2007
F-PROT by FRISK Software InternationalUnknown5-Jul-2007
F-Secure CorporationNot Vulnerable17-Jul-2007
F5 Networks, Inc.Unknown5-Jul-2007
Fedora ProjectUnknown5-Jul-2007
Finjan SoftwareUnknown5-Jul-2007
Fortinet, Inc.Unknown5-Jul-2007
FreeBSD, Inc.Unknown5-Jul-2007
FujitsuUnknown5-Jul-2007
Gentoo LinuxUnknown5-Jul-2007
GFI Software, Inc.Unknown5-Jul-2007
Hewlett-Packard CompanyUnknown5-Jul-2007
HitachiUnknown5-Jul-2007
IBM CorporationUnknown5-Jul-2007
IBM Corporation (zseries)Unknown5-Jul-2007
IBM eServerUnknown5-Jul-2007
Immunix Communications, Inc.Unknown5-Jul-2007
Ingrian Networks, Inc.Unknown5-Jul-2007
Internet Security Systems, Inc.Not Vulnerable9-Jul-2007
Juniper Networks, Inc.Unknown5-Jul-2007
lhacaVulnerable6-Jul-2007
Mandriva, Inc.Unknown5-Jul-2007
McAfeeUnknown5-Jul-2007
MessageLabsUnknown5-Jul-2007
Microsoft CorporationNot Vulnerable9-Jul-2007
MontaVista Software, Inc.Unknown5-Jul-2007
NEC CorporationUnknown5-Jul-2007
NetBSDUnknown5-Jul-2007
Nortel Networks, Inc.Unknown5-Jul-2007
Novell, Inc.Unknown5-Jul-2007
OpenBSDUnknown5-Jul-2007
Openwall GNU/*/LinuxUnknown5-Jul-2007
Proland Software, Inc.Unknown5-Jul-2007
QNX, Software Systems, Inc.Unknown5-Jul-2007
Red Hat, Inc.Not Vulnerable10-Jul-2007
Silicon Graphics, Inc.Unknown5-Jul-2007
Slackware Linux Inc.Unknown5-Jul-2007
SnortNot Vulnerable6-Jul-2007
Sony CorporationUnknown5-Jul-2007
Sophos, Inc.Unknown5-Jul-2007
SourcefireUnknown5-Jul-2007
Sun Microsystems, Inc.Unknown5-Jul-2007
SUSE LinuxUnknown5-Jul-2007
Symantec, Inc.Unknown5-Jul-2007
The SCO GroupUnknown5-Jul-2007
TippingPoint, Technologies, Inc.Not Vulnerable6-Jul-2007
Trend MicroUnknown5-Jul-2007
Trustix Secure LinuxUnknown5-Jul-2007
TurbolinuxUnknown5-Jul-2007
UbuntuUnknown5-Jul-2007
UnisysUnknown5-Jul-2007
Wind River Systems, Inc.Unknown5-Jul-2007

References


http://park8.wakwak.com/~app/Lhaca/
http://www.securityfocus.com/bid/24604
http://www.symantec.com/enterprise/security_response/weblog/2007/06/beware_of_lzh.html
http://vuln.sg/lhaca121-en.html
http://64.233.179.104/translate_c?hl=en&u=http://park8.wakwak.com/~app/Lhaca/overflow.html&prev=/search%3Fq%3Dlhaca%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26hs%3DirC
http://en.wikipedia.org/wiki/LHA_(software)
http://secunia.com/advisories/25826/
http://oku.edu.mie-u.ac.jp/~okumura/compression/history.html

Credit

Thanks to Lhaca, Symantec, and Vuln.sg for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public06/25/2007
Date First Published07/06/2007 02:58:06 PM
Date Last Updated07/17/2007
CERT Advisory 
CVE NameCVE-2007-3375
Metric4.02
Document Revision8

Original Source

Url : http://www.kb.cert.org/vuls/id/871497

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

Open Source Vulnerability Database (OSVDB)

Id Description
5753 LHA get_header() Function File / Directory Name Handling Overflow

A remote overflow exists in LHA. The get_header() function fails to perform proper bounds checking resulting in a buffer overflow. By sending an LHA archive containing files with overly long file or directory names, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

Nessus® Vulnerability Scanner

Date Description
2004-09-29 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-515.nasl - Type : ACT_GATHER_INFO