SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Lynx Vendors:   [Multiple Authors/Vendors]
Lynx Buffer Overflow in HTrjis() in Processing NNTP Headers Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015065
SecurityTracker URL:  http://securitytracker.com/id/1015065
CVE Reference:   CVE-2005-3120   (Links to External Site)
Updated:  Jan 22 2008
Original Entry Date:  Oct 17 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.8.5 and prior versions
Description:   A vulnerability was reported in Lynx. A remote user can cause arbitrary code to be executed on the target user's system.

A remote NNTP server can send a reply with specially crafted article headers to a connected client to trigger a buffer overflow in HTrjis() on the client. Arbitrary code can be executed with the privileges of the target user.

It may be possible to post malicious content to a valid and non-malicious NNTP server to attack clients that connect to the server.

Ulf Harnhammar reported this vulnerability.

Impact:   A remote user can cause arbitrary code to be executed on the target user's system when the target user connects to an NNTP server hosting malicious content.
Solution:   The vendor has issued a fixed development version (2.8.6dev.14), available at:

http://lynx.isc.org/current/index.html

Red Hat has issued a fix for Red Hat Enterprise Linux 2.1, 3, and 4:

https://rhn.redhat.com/errata/RHSA-2005-803.html

Vendor URL:  lynx.isc.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 17 2005 (Red Hat Issues Fix) Lynx Buffer Overflow in HTrjis() in Processing NNTP Headers Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, and 4.



 Source Message Contents

Subject:  [Full-disclosure] Lynx Remote Buffer Overflow


--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Lynx Remote Buffer Overflow


BACKGROUND


"Lynx is a fully-featured World Wide Web (WWW) client for users
running cursor-addressable, character-cell display devices such
as vt100 terminals, vt100 emulators running on Windows 95/NT or
Macintoshes, or any other character-cell display. It will display
Hypertext Markup Language (HTML) documents containing links to files
on the local system, as well as files on remote systems running
http, gopher, ftp, wais, nntp, finger, or cso/ph/qi servers,
and services accessible via logins to telnet, tn3270 or rlogin
accounts. Current versions of Lynx run on Unix, VMS, Windows95/NT,
386DOS and OS/2 EMX."

(from the program's README file)

Lynx is available in all popular Linux distributions and *BSD ports
collections. More information can be found on the program's home
page:  http://lynx.isc.org/


BUG


I have found a remote buffer overflow in Lynx. It occurs when a
Lynx user selects malicious links or simply visits malicious URLs!

When Lynx connects to an NNTP server to fetch information about the
available articles in a newsgroup, it will call a function called
HTrjis() with the information from certain article headers. The
function adds missing ESC characters to certain data, to support
Asian character sets. However, it does not check if it writes outside
of the char array buf, and that causes a remote stack-based buffer
overflow, with full control over EIP, EBX, EBP, ESI and EDI.

Two attack vectors to make a victim visit a URL to a dangerous
news server are: (a) *links in web pages*, where the victim visits
some web page and selects a link on the page to a malicious URL,
and (b) *redirecting scripts*, where the victim visits a URL and
it redirects automatically to a malicious URL. Attack vector (a)
is helped by the fact that Lynx does not automatically display
where links lead to, unlike many graphical web browsers.

A victim is in danger when his or her Lynx session is forced to
visit a URL of the types "nntp://some.news.server/group.name" or
"news:group.name", and the server that Lynx connects to must send
back article headers with certain malicious data. It may be possible
to make real news servers distribute such articles without technical
problems, but that has not been tested.

The vulnerable versions are at least 2.8.5, 2.8.6dev.13, 2.8.4
and 2.8.3. (2.8.2 is apparently also vulnerable to a slightly
different attack.)

The bug has the identifier CAN-2005-3120.


TESTING AND PATCHING


I have attached a malicious NNTP server that exhibits this
problem. (As noted above, it might be possible to exploit
this issue through legitimate news servers as well.) You just
run this server, then you start Lynx with a URL of the type
"nntp://malicious.server/group.name", and Lynx will crash
immediately.

To test the attack vectors, I have also included a redirecting
script and a web page with a link to a malicious server.

Finally, I have attached a patch for this issue. It just stops
copying when it comes close to the end of the array.

The bug was reported to the Lynx developers and to the vendor-sec
mailing list, and the 17th of October was agreed upon as the
release date.


// Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/

[ I would love to audit free/open source software for a living, so
  please e-mail any job offers to: metaur@telia.com ]


--4Ckj6UjgE2iN1+kY
Content-Type: application/zip
Content-Disposition: attachment; filename="lynx-data.zip"
Content-Transfer-Encoding: base64

UEsDBBQAAAAIADeqUDOt9UvDawAAAIYAAAAJABUAbGluay5odG1sVVQJAANap1JDtqdSQ1V4
BADoA+gDLY1LDsIwDET3OUXoAeI9crPhJIYaEuG4KDGU3p6gdDWaj95gsiLRYWJaulg24Si7
fr1xM4QROIQxcHhdl7178qnyfZ5U7XUGKCT5ltd3C8pbC43rhyuQWCB9NJvipfdPX/iEQH/c
gYFx/wNQSwMEFAAAAAgAN6pQMy7FqIrAAwAAdggAABMAFQBseW54LW5udHAtc2VydmVyLnBs
VVQJAANap1JDu6dSQ1V4BADoA+gDlVVtc+I2EP7uX7EhzNjkzrxN+XAmYULvaI7OARkInU5L
eyOMiNWzJUeSE0hCfntXsnlJm2tSPAzW6tl99p3jo1qmZG3OeC2lMgbfd5xjiNd85XOuU19R
eUsliuZrmMZL+Ewkj0iSEAmMQ7Neb+FdHyIqKSLSmIQUdMQUpFJcS5IYlI4opNk8ZiEsREIY
rzpOpigoLVmo2/a9PwqCiQi/UTw7ZQMKglRIDWfQaHxob0WaJVRkRtpCHFKfnJzAZPrjeDS9
6g97E3NGucrmkKwV5QuvXK44Dw7gEcpLFlNUVRFbIk0uQyf2IpSlknFdQEvmdsZL7Z28NOkN
rwKA3cUGjmHPtqOWNKTslnqvkDOeWlJ6S2L8MVCAWIQkhvKkf/HQ/TIebIwSGn2ABUOXSExk
gtSwaVu0PcPz9OQ3xjrqnlrmziG6bg4by8yW4JXPgd7sLVeQqtB13fY28Kv+oPcJMM0mbNg4
W/tPoGVtVm+08Nuc1ev1Wm1xkK9x72Ov/0vvU5Dji2Tmge9zV6RrV9FBtz+Ey/HoYtwdFCXd
pjFvSPRt3zFBgKW/8juc3nlwKYUWJlQ464Crw9R9byN//fPF5P3S9lwHDlrwzfpMacoL5slo
0P3142g4fKv2mJoxKLQbFZMlW++QcFeDohqyFPLgj0z5Mx5Tpbb5MMMAcBeZHvNMmsKYUW7m
pAD4HRKGNNVepbJrtAKEV5kWyzhTkZcTb6vnhoJzGmomOCylSMCt7nRSSmUklK6WbE0dq7ad
uRz0HlxcENDnmkqOAQzpnXILAuPjtRSZ7TIS6yrh10q77dzOQSD5fB5MVG7bhrENpGhjC32C
pPZnIhYUJCULKss1VilAD7tSvN1P8+F0pbenjfMyYx6L97v/tUr8+67/W93/8Me7yovsu8DL
jfZ3XSo1Gw3Inxxf+p8e3WRMvzX4FlwIsZiv6WHYMVGvkkSYY4z6P4I1NaS3LDZ1Lp9Pp97P
06kLK2g22jj+vQXT9v+BZ8kcO3ufI6tTRSWL9lr1H8CHmPJrHeWXlbbzjMS6guvu9HNv3Gs7
zSYmrgGnq/X9/Xp2jsOFpa3erDrOJdFRAKZ3j5TAfYn0tpOPBKeJkNS8Oz9huwdwmsivmsTf
iMbWe2Zkks3/wskIcl8c0zK2SkFRLWeA00muqd/H1feCE1XHuLmPoHD/CdTjTL0rPz6q77eG
xb7WDf+qcgtbfLLmmqygJ6WQ21KbLZzPG5b1bD9oxZzl9sJY4HYqjB2uiJK9Wcy4eexu39vL
0Wf/XEDOxvkbUEsDBBQAAAAIADeqUDP1WZElagEAAH0CAAATABUAbHlueC5zZWN1cml0eS5w
YXRjaFVUCQADWqdSQ76nUkNVeAQA6APoA41R20rDQBB9Tr7iCNJctttsNkZNY6BWii1EEa30
oRZJNZVUm4YkPhTbf3c3iYqg4rDL3M8wZyilmEwmVpjM8yjfWKNV9hKv4rSMymSdWsPxxehi
0HnorF8eFc7YAWU2ZcdgTlc+r8M+BITZjKmEkP/gSSyXMo9yF/ZRl7tdxjsHnud63D2UWCKv
9nqgnDusfQTSaBG6uu2HozMkaYnhOF8mBU6vz2+4rkKBkKLMH7KNXrZRGL6I5XH5mqewhS1l
p1KpFusceoYA89eFD7PwYeBNJT+l0Gohw4l0QRCOLgf34eDyfDwExXHdByVZQN97jtJlIsuL
KZshCKDta9LVi6ld+z0N2y0+3b5m1O1yroQYjlfRZh5XQLouVjSKKZ+10ZjOrKlX6lGBXKtm
yXVqlir9N0s78c1M3CkQ2xHynRgzq8K+Ypko43yVpFEZS1KT9AmmVVNUFWl3TPu1DDXo1zEE
e0YzqbkI89V3UEsDBAoAAAAAADeqUDOjCw65RwAAAEcAAAAJABUAcmVkaXIucGhwVVQJAANa
p1JDyKdSQ1V4BADoA+gDPD9waHAKCmhlYWRlcignTG9jYXRpb246IG5udHA6Ly9tYWxpY2lv
dXMubmV3cy5zZXJ2ZXIvYWx0LmFuZ3N0Jyk7Cgo/PgpQSwECFwMUAAAACAA3qlAzrfVLw2sA
AACGAAAACQANAAAAAAABAAAAgIEAAAAAbGluay5odG1sVVQFAANap1JDVXgAAFBLAQIXAxQA
AAAIADeqUDMuxaiKwAMAAHYIAAATAA0AAAAAAAEAAADAgacAAABseW54LW5udHAtc2VydmVy
LnBsVVQFAANap1JDVXgAAFBLAQIXAxQAAAAIADeqUDP1WZElagEAAH0CAAATAA0AAAAAAAEA
AACAga0EAABseW54LnNlY3VyaXR5LnBhdGNoVVQFAANap1JDVXgAAFBLAQIXAwoAAAAAADeq
UDOjCw65RwAAAEcAAAAJAA0AAAAAAAEAAACAgV0GAAByZWRpci5waHBVVAUAA1qnUkNVeAAA
UEsFBgAAAAAEAAQAJAEAAOAGAAAAAA==

--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--4Ckj6UjgE2iN1+kY--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC