SecurityTracker.com Archives - Lynx Web Browser Format String Flaw Lets Remote Web Sites (URLs) Execute Arbitrary Commands on the Host in a Certain Configuration

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Application (Web Browser) > Lynx

Vendors: [Multiple Authors/Vendors]

Lynx Web Browser Format String Flaw Lets Remote Web Sites (URLs) Execute Arbitrary Commands on the Host in a Certain Configuration

Date: Dec 27 2001

Impact: Execution of arbitrary code via network

Exploit Included: Yes

Version(s): 2.8.4rel.1 (17 Jul 2001) and 2.8.5dev.5.gz

Description: A format string vulnerability was reported in the Lynx web browser. A remote web site may be able to cause arbitrary commands to be executed on the browser's host.

It is reported that Lynx has a format string vulnerability in the LYUtils.c file on line 7995. A call to syslog() is made with the format argument omitted.

The vulnerability can reportedly be triggered only if sysloging of URLs is enabled (for example, using the compile-time command ./configure --enable-syslog).

The following URL is a demonstration exploit URL:

lynx http://lwc%d%d:hsVd632k@vapid.dhs.org/bleh:80

The above URL will apparently cause the following to be logged to syslog.

Dec 25 23:11:00 vapid lynx[5160]: http://lwc-1077939384134744128:******@vapid.dhs.org/bleh:80

Impact: A remote user can create a malicious URL that will cause arbitrary commands to be executed on the lynx user's host.

Solution: No solution was available at the time of this entry. The vendor is reportedly working on a fix. The author of the report has provided the following patch:

line 7995:
- -syslog (LOG_INFO|LOG_LOCAL5, buf);
+syslog (LOG_INFO|LOG_LOCAL5,"%s", buf);

Vendor URL: lynx.isc.org/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any)

Reported By: "Larry W. Cashdollar" <lwc@vapid.dhs.org>

Message History: None.

Source Message Contents

Date: Thu, 27 Dec 2001 12:23:01 -0500 (EST)
From: "Larry W. Cashdollar" <lwc@vapid.dhs.org>
Subject: Lynx format string vulnerability in URL logging.

 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The vendor has been notified, but since this is a low risk I am
releasing early.


				Vapid Labs
			    Larry W. Cashdollar
				Bug Report

Summary: lynx has a format string vulnerability in LYUtils.c line 7995 due
	 to a bad call to syslog(), where the format argument is omitted.

Risk: Low

Version: Lynx compiled from FreeBSD ports collection.  Also tested in
2.8.5dev.5.gz

[larryc@harod ~ $] lynx --version
Lynx Version 2.8.4rel.1 (17 Jul 2001)
Built on freebsd4.4 Dec 25 2001 23:04:31


Details:

line 7995 in LYUtils.c reads:
syslog (LOG_INFO|LOG_LOCAL5, buf);

The reason this is low priority is the bug can only big triggered if
sysloging URL's is enabled.
(./configure --enable-syslog)

Exploit:

The following url triggers the bug:

[larryc@harod ~ $] lynx http://lwc%d%d:hsVd632k@vapid.dhs.org/bleh:80

Results in the following logged to syslog.

Dec 25 23:11:00 vapid lynx[5160]: http://lwc-1077939384134744128:******@vapid.dhs.org/bleh:80

Fix:

line 7995:
- -syslog (LOG_INFO|LOG_LOCAL5, buf);
+syslog (LOG_INFO|LOG_LOCAL5,"%s", buf);


Larry W. Cashdollar
http://vapid.dhs.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8K1iX1hSQ6Gxh/KoRAiiXAJ9y89t6QYewx2tCiHT8JwsplvLMsgCfQBDD
mrfnwVrdUUNRaKLdGIOtWfI=
=sNDc
-----END PGP SIGNATURE-----

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC