From: Artem <u2u@nm.ru> To: ALT Linux Sisyphus discussion list <sisyphus@altlinux.ru> Subject: [sisyphus] [Fwd: [VulnWatch] iDefense Security Advisory 11.11.05: Multiple Vendor Lynx Command Injection Vulnerability] Date: Sat, 12 Nov 2005 19:13:56 +0200 Message-ID: <437622D4.6030804@nm.ru> (raw) [-- Attachment #1: Type: text/plain, Size: 1 bytes --] [-- Attachment #2: [VulnWatch] iDefense Security Advisory 11.11.05: Multiple Vendor Lynx CommandInjection Vulnerability --] [-- Type: message/rfc822, Size: 5925 bytes --] From: "labs-no-reply@idefense.com" <labs-no-reply@idefense.com> To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk Subject: [VulnWatch] iDefense Security Advisory 11.11.05: Multiple Vendor Lynx Command Injection Vulnerability Date: Fri, 11 Nov 2005 11:45:05 -0500 Message-ID: <4374CA91.2080200@idefense.com> Multiple Vendor Lynx Command Injection Vulnerability iDefense Security Advisory 11.11.05 www.idefense.com/application/poi/display?id=338&type=vulnerabilities November 11, 2005 I. BACKGROUND Lynx is a fully-featured WWW client for users running cursor- addressable, character-cell display devices such as vt100 terminals and terminal emulators. Lynx support a number of protocols including HTTP, HTTPS, gopher, FTP, WAIS, NNTP, finger or cso/ph/qi servers, and services accessible via logons to telnet, tn3270 or rlogin accounts. II. DESCRIPTION Remote exploitation of a command injection vulnerability in various vendors' implementations of Lynx could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. The handler is generally intended to be restricted to a specific directory or program(s). However, due to a configuration error on multiple platforms, the default settings allow for arbitrary websites to specify commands to run as the user running Lynx. III. ANALYSIS Successful exploitation of the described vulnerability allows remote attackers to execute arbitrary commands with the privileges of the underlying user. Exploitation requires that an attacker convince a target user to follow a malicious link from within a vulnerable version of Lynx. The "lynxexec" and "lynxprog" URI handlers can also be used to trigger the issue. However, they are rarely compiled into the Lynx binary. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in the latest stable release of Lynx, version 2.8.5. It is suspected that earlier versions are also affected. The following vendors include susceptible Lynx packages within their respective distributions: * Red Hat Inc. * Gentoo Foundation Inc. * Mandriva SA Other vendors are suspected as also being vulnerable. The following vendors include Lynx packages that are not susceptible to exploitation as the "lynxcgi" feature is not compiled into Lynx by default: * The FreeBSD Project * OpenBSD V. WORKAROUND Disable "lynxcgi" links by specifying the following directive in lynx.cfg: TRUSTED_LYNXCGI:none VI. VENDOR RESPONSE Development version 2.8.6dev.15 has been released to address this issue and is available from the following URLs: http://lynx.isc.org/current/lynx2.8.6dev.15.tar.Z http://lynx.isc.org/current/lynx2.8.6dev.15.tar.bz2 http://lynx.isc.org/current/lynx2.8.6dev.15.tar.gz http://lynx.isc.org/current/lynx2.8.6dev.15.zip Alternately, an incremental patch is available at: http://lynx.isc.org/current/2.8.6dev.15.patch.gz VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-2929 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/27/2005 Initial vendor notification 10/28/2005 Initial vendor response 11/11/2005 Public disclosure IX. CREDIT vade79 (http://fakehalo.us) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
next reply other threads:[~2005-11-12 17:13 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2005-11-12 17:13 Artem [this message] 2005-11-13 19:00 ` [sisyphus] " Michael Shigorin 2006-01-25 22:59 ` Arioch 2006-01-26 5:58 ` Andrey Rahmatullin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=437622D4.6030804@nm.ru \ --to=u2u@nm.ru \ --cc=sisyphus@altlinux.ru \ --cc=sisyphus@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Sisyphus discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/sisyphus/0 sisyphus/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 sisyphus sisyphus/ http://lore.altlinux.org/sisyphus \ sisyphus@altlinux.ru sisyphus@altlinux.org sisyphus@lists.altlinux.org sisyphus@lists.altlinux.ru sisyphus@lists.altlinux.com sisyphus@linuxteam.iplabs.ru sisyphus@list.linux-os.ru public-inbox-index sisyphus Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.sisyphus AGPL code for this site: git clone https://public-inbox.org/public-inbox.git