From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-VBA32: Checked Message-ID: <437622D4.6030804@nm.ru> Date: Sat, 12 Nov 2005 19:13:56 +0200 From: Artem User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050719) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ALT Linux Sisyphus discussion list Content-Type: multipart/mixed; boundary="------------070502050707020807060308" Cc: Subject: [sisyphus] [Fwd: [VulnWatch] iDefense Security Advisory 11.11.05: Multiple Vendor Lynx Command Injection Vulnerability] X-BeenThere: sisyphus@lists.altlinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ALT Linux Sisyphus discussion list List-Id: ALT Linux Sisyphus discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Nov 2005 17:14:22 -0000 Archived-At: List-Archive: List-Post: This is a multi-part message in MIME format. --------------070502050707020807060308 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit --------------070502050707020807060308 Content-Type: message/rfc822; name="[VulnWatch] iDefense Security Advisory 11.11.05: Multiple Vendor Lynx CommandInjection Vulnerability" Content-Transfer-Encoding: 8bit Content-Disposition: inline; filename="[VulnWatch] iDefense Security Advisory 11.11.05: Multiple Vendor Lynx CommandInjection Vulnerability" X-Account-Key: account8 X-VBA32: Checked Return-Path: Received: from [192.168.0.6] (HELO tut.by) by tut.by (CommuniGate Pro SMTP 4.3.6) with ESMTP id 18187579 for hck@tut.by; Fri, 11 Nov 2005 19:36:14 +0200 X-SpamTest-Info: Profile: Formal (278/051031) X-SpamTest-Info: Profile: Detect Hard No RBL (4/030526) X-SpamTest-Info: Profile: Marking Spam - Subject (2/030321) X-SpamTest-Status: Not detected X-SpamTest-Version: SMTP-Filter Version 2.1.1 [0150], SpamtestISP/Release Received: from [199.201.145.182] (HELO vikki.vulnwatch.org) by tut.by (CommuniGate Pro SMTP 4.3.7) with SMTP id 44003752 for hck@tut.by; Fri, 11 Nov 2005 19:35:33 +0200 Received: (qmail 17316 invoked by alias); 11 Nov 2005 18:09:16 -0000 Mailing-List: contact vulnwatch-help@vulnwatch.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list vulnwatch@vulnwatch.org Delivered-To: moderator for vulnwatch@vulnwatch.org Received: (qmail 30187 invoked from network); 11 Nov 2005 17:30:36 -0000 Message-ID: <4374CA91.2080200@idefense.com> Date: Fri, 11 Nov 2005 11:45:05 -0500 From: "labs-no-reply@idefense.com" User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: [VulnWatch] iDefense Security Advisory 11.11.05: Multiple Vendor Lynx Command Injection Vulnerability Multiple Vendor Lynx Command Injection Vulnerability iDefense Security Advisory 11.11.05 www.idefense.com/application/poi/display?id=338&type=vulnerabilities November 11, 2005 I. BACKGROUND Lynx is a fully-featured WWW client for users running cursor- addressable, character-cell display devices such as vt100 terminals and terminal emulators. Lynx support a number of protocols including HTTP, HTTPS, gopher, FTP, WAIS, NNTP, finger or cso/ph/qi servers, and services accessible via logons to telnet, tn3270 or rlogin accounts. II. DESCRIPTION Remote exploitation of a command injection vulnerability in various vendors' implementations of Lynx could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. The handler is generally intended to be restricted to a specific directory or program(s). However, due to a configuration error on multiple platforms, the default settings allow for arbitrary websites to specify commands to run as the user running Lynx. III. ANALYSIS Successful exploitation of the described vulnerability allows remote attackers to execute arbitrary commands with the privileges of the underlying user. Exploitation requires that an attacker convince a target user to follow a malicious link from within a vulnerable version of Lynx. The "lynxexec" and "lynxprog" URI handlers can also be used to trigger the issue. However, they are rarely compiled into the Lynx binary. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in the latest stable release of Lynx, version 2.8.5. It is suspected that earlier versions are also affected. The following vendors include susceptible Lynx packages within their respective distributions: * Red Hat Inc. * Gentoo Foundation Inc. * Mandriva SA Other vendors are suspected as also being vulnerable. The following vendors include Lynx packages that are not susceptible to exploitation as the "lynxcgi" feature is not compiled into Lynx by default: * The FreeBSD Project * OpenBSD V. WORKAROUND Disable "lynxcgi" links by specifying the following directive in lynx.cfg: TRUSTED_LYNXCGI:none VI. VENDOR RESPONSE Development version 2.8.6dev.15 has been released to address this issue and is available from the following URLs: http://lynx.isc.org/current/lynx2.8.6dev.15.tar.Z http://lynx.isc.org/current/lynx2.8.6dev.15.tar.bz2 http://lynx.isc.org/current/lynx2.8.6dev.15.tar.gz http://lynx.isc.org/current/lynx2.8.6dev.15.zip Alternately, an incremental patch is available at: http://lynx.isc.org/current/2.8.6dev.15.patch.gz VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-2929 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/27/2005 Initial vendor notification 10/28/2005 Initial vendor response 11/11/2005 Public disclosure IX. CREDIT vade79 (http://fakehalo.us) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. --------------070502050707020807060308--