CONTACT INFORMATION =============================================================================== Let us know who you are: Name : Jim Spath E-mail : jspath@bcpl.net Phone / fax : 410-716-2115 Affiliation and address: Lynx developers Have you reported this to the vendor? We are the vendors, so to speak. First reported to lynx-dev list by: Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Patch prepared by: Klaus Weide Questions about the bulletin only can be sent to Jim Spath ; questions about Lynx can be sent to . POLICY INFO =============================================================================== We encourage communication between vendors and their customers. When we forward a report to the vendor, we include the reporter's name and contact information unless you let us know otherwise. If you want this report to remain anonymous, please check here: ___ Do not release my identity to your vendor contact. TECHNICAL INFO =============================================================================== If there is a CERT Vulnerability tracking number please put it here (otherwise leave blank): VU#______. Please describe the vulnerability. ---------------------------------- Topic: Vulnerability in Lynx calling external programs Lynx has a problem when calling external programs to handle protocols like telnet://. Example: attempting to view 'telnet://-n.rhosts' URL will result in any .rhosts file being deleted. What is the impact of this vulnerability? ----------------------------------------- a) What is the specific impact: Files owned by the user running lynx may be deleted. b) How would you envision it being used in an attack scenario: An attacker that created specific links on web pages would be able to erase files on remote system. No known method would allow an attacker to create files on remote systems. To your knowledge is the vulnerability currently being exploited? ----------------------------------------------------------------- no If there is an exploitation script available, please include it here. --------------------------------------------------------------------- Do you know what systems and/or configurations are vulnerable? -------------------------------------------------------------- yes System : Any version of lynx where a telnet action is defined OS version : Any, but UNIX is most likely vulnerable Verified/Guessed: (See below for details on command line processing effects) DEC UNIX 4.0 running 2.8.2dev.21 (30 Mar 1999) is *not* vulnerable. NetBSD running 2.8.3dev.8 (28 Aug 1999) verified vulnerable. Solaris running 2.8.2 and 2.8.3 verified vulnerable. Are you aware of any workarounds and/or fixes for this vulnerability? --------------------------------------------------------------------- See patch at end, should work for 2.8.2rel.1 and 2.8.3dev.N (*not* for 2.8.1 or earlier). It may be found in the 2.8.2 fixes set in . It should be emphasised that No way is known to fill the file automatically with content desired by an intruder. Whether it works at all depends on the "telnet" binary used by the system that is compiled into lynx (similarly for "tn3270", "rlogin"). Only external programs that create log or tracefiles may be exploited in this way. Lynx is often installed without external programs defined (e.g., for anonymous access), so these installations are safe. If the telnet binary requires a space between the "-n" and the tracefile name, the file will not be created. For example, DEC UNIX requires the space, and thus is safe. URLs with escaped spaces has no effect. Only files in the current directory can be overwritten (since no '/' are possible in the fake hostname). The current directory is the one in which lynx was started. This attack will be visible to attentive users: (a) the URL for such a link shows that something is wrong (and is visible on the statusline if User Mode is set to Advanced), and (b) telnet will not establish a connection, to the users gets a "telnet>" prompt and needs to do something to proceed. Workarounds: Users that are stuck with an older version can protect themselves by one of the following. Better yet, ask the system administrator to upgrade to a fixed version. Start lynx from an empty directory you own, or at least from a directory that contains no important files. Disable telnet, e.g., by using something like `lynx -restrictions=inside_telnet,outside_telnet' (could be an alias or wrapper script) Always check where a link leads to if you have no reason to trust its source (i.e., the containing document). Note that versions earlier than 2.8.2 may have additional and more severe problems with "telnet:" (and "tn3270:" and "rlogin:") URLs, so upgrading to at least 2.8.2 (or to later devel code if you wish) is recommended. Patch: *** lynx2-8-2.old/WWW/Library/Implementation/HTTCP.c Tue Jul 20 02:19:59 1999 --- lynx2-8-2/WWW/Library/Implementation/HTTCP.c Mon Aug 30 13:08:47 1999 *************** *** 314,319 **** --- 314,320 ---- ** - contains only valid chars for domain names (actually, the ** restrictions are somewhat relaxed), ** - no leading dots or empty segments, + ** - no segment starts with '-' or '+' [this protects telnet command], ** - max. length of dot-separated segment <= 63 (RFC 1034,1035), ** - total length <= 254 (if it ends with dot) or 253 (otherwise) ** [an interpretation of RFC 1034,1035, although RFC 1123 *************** *** 341,346 **** --- 342,349 ---- iseg = 0; continue; } + } else if (iseg == 0 && (*cp == '-' || *cp == '+')) { + return NO; } else if (++iseg > 63) { return NO; } Diff finished at Wed Sep 1 08:02:00 OTHER INFORMATION =========================================================================== Is there anything else you would like to tell us? If you believe you have found a security problem with the current version of Lynx, we urge you to forward it to the LYNX-DEV mailing list at . The LYNX-DEV mailing list (with further information about this vulnerability) is archived at: http://www.flora.org/lynx-dev/ Lynx security information is available at: http://www.crl.com/~subir/lynx/security.html General information about Lynx is available at: http://lynx.browser.org/ On-line help and documentation about Lynx is available using the (h)elp command. More help is available in the source distribution. Should your questions not be answered by these means, further questions may be directed to . Please don't contact Lynx developers personally about Lynx-related issues; use either the mailing list or the "help" addresses given above.