Nasty Flaw found in Lhasa LZH/LHA decompression tool
Nasty Flaw found in Lhasa LZH/LHA decompression tool
http://blog.talosintel.com/2016/03/vuln ... lhasa.html
Cisco's Talos team has found a vulnerability in the Lhasa LZH/LHA decompression tool and library, and it's a nasty one because it means the decompression process gives attackers the chance to put whatever code they want on your machine.
The problem is an integer underflow.
“The software verifies that header values are not too large, but does not check for a too small header length,
Cisco's Talos team has found a vulnerability in the Lhasa LZH/LHA decompression tool and library, and it's a nasty one because it means the decompression process gives attackers the chance to put whatever code they want on your machine.
The problem is an integer underflow.
“The software verifies that header values are not too large, but does not check for a too small header length,
From CVE-Mitre org site
The following description comes from Cisco-Talos...
TALOS-2016-0095
Lhasa lha decode_level3_header Heap Corruption Vulnerability
March 31, 2016
Report ID
CVE-2016-2347
Summary
An exploitable integer underflow exists during calculation size for all headers in decode_level3_header function of Lhasa (lha) application.
Smaller value of header_len than LEVEL_3_HEADER_LEN ( 32 ) cause during subtraction integer underflow and lead later to memory corruption via heap based buffer overflow.
Full report is here.
TALOS-2016-0095
Lhasa lha decode_level3_header Heap Corruption Vulnerability
March 31, 2016
Report ID
CVE-2016-2347
Summary
An exploitable integer underflow exists during calculation size for all headers in decode_level3_header function of Lhasa (lha) application.
Smaller value of header_len than LEVEL_3_HEADER_LEN ( 32 ) cause during subtraction integer underflow and lead later to memory corruption via heap based buffer overflow.
Full report is here.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
separately
The XArchive utility in some puppies does not recognize the lha (LHASA) compression format. However, user with an IBM/Lenovo based PC/lappy MAY have it in windows as X-Force.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
Re: Nasty Flaw found in Lhasa LZH/LHA decompression tool
Scooby wrote:OK
But what is required to be vulnerable?
I for one do not have the lhasa tool installed?
Is it common in most puppies?
I'm guessing by that line it's both Windows and Linux users???Daleb wrote:Noga reckons the first thing bad guys would do with this flaw is put something horrid in a compressed file in the hope you open it and end up with something nasty on your machine. He's also worried that this could become an espionage tool, because the tool is used in roles where users never see it, like decompressing email attachments. If the flaw means code runs somewhere like an email server, it could read the contents of files and exfiltrate them and users who are ignorant of attachments being compressed to start with will never suspect anything is amiss.
Last edited by Atle on Mon 04 Apr 2016, 14:57, edited 3 times in total.
This all came out very wrong.... is this what its about?
https://en.wikipedia.org/wiki/LHA_(file_format)
https://en.wikipedia.org/wiki/LHA_(file_format)
Last edited by Atle on Mon 04 Apr 2016, 14:58, edited 2 times in total.
Yes, this is what its about. Common in Japan, and far-east, and used in DOS (upto WIN7 anyways). Generally limited to Windows OS, but we (puppy users) should check into WINE compatability. So 'possibly' WINE users 'may' be affected.
I personally don't use WINE, but realise the implication to non-USA users with M$ os's.
I personally don't use WINE, but realise the implication to non-USA users with M$ os's.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
Re: Nasty Flaw found in Lhasa LZH/LHA decompression tool
Scooby wrote:OK
But what is required to be vulnerable?
I for one do not have the lhasa tool installed?
Is it common in most puppies?
Daleb wrote:Noga reckons the first thing bad guys would do with this flaw is put something horrid in a compressed file in the hope you open it and end up with something nasty on your machine. He's also worried that this could become an espionage tool, because the tool is used in roles where users never see it, like decompressing email attachments. If the flaw means code runs somewhere like an email server, it could read the contents of files and exfiltrate them and users who are ignorant of attachments being compressed to start with will never suspect anything is amiss.
Yeah it's also for linux users however my point is that it is not presentDaleb wrote: I'm guessing by that line it's both Windows and Linux users???
on my system and hence I'm not directly vulnerable
I recognize that I am indirectly vulnerable to as described by
your quote, as in a email-server, However I cannot do anything
about that on my comp. That is for the email-server admin to adress.
From the responses I gather that lha tool is not common on puppies
so we cannot do much to address it, right?
Yep an I appreciate that, keep it coming.Daleb wrote:Sorry Dude but all i know is what the News article says and i don't fully understand it myself.
It turned up on Google news search and some of the user comments were going loopy about it so i thought i would post it on here.
But in my opinion it is important to discern the real level of threat
I run DebianDog Jessie (Openbox) http://murga-linux.com/puppy/viewtopic. ... 903#847903 and hadn't run a update for a week or two. After just running it looks like quite a few updates have occurred recently, some of which might be fixes for the lzh/lha ???
That's one of the main reasons I like DD - Debian seem to keep right on top of fixes and also stick to stable versions of programs.
Toni and Fred do a great job of puppy'fying Debian (I frugal boot (Porteus style)). Best of both worlds
That's one of the main reasons I like DD - Debian seem to keep right on top of fixes and also stick to stable versions of programs.
Toni and Fred do a great job of puppy'fying Debian (I frugal boot (Porteus style)). Best of both worlds
I've not seen it mentioned on the main News sites like Heartbleed.Scooby wrote:But in my opinion it is important to discern the real level of threat
I wonder if the term in the article "espionage tool" means it refers to internal mail systems used by large company's rather than global email servers like Gmail.
But i'm just guessing.........
It seems the days of not bothering to update or patch Linux are well and truly over..........rufwoof wrote:That's one of the main reasons I like DD - Debian seem to keep right on top of fixes and also stick to stable versions of programs