[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV Alleged Lynx security emergency
From: |
Wayne Buttles |
Subject: |
Re: LYNX-DEV Alleged Lynx security emergency |
Date: |
Tue, 1 Jul 1997 14:28:43 -0400 (EDT) |
On Tue, 1 Jul 1997, Foteos Macrides wrote:
> Wayne's posted patch ...
I don't remember posting any patch, although I have always wondered if I
had multiple personalities that were virtually the same...that would
explain the lack of short term memory ;-)
> There seems to be more to it than what you and Wayne are claiming
> about it being equivalent to a script entered on the command line.
This error can effect DOS, so mix that into the equation as you see fit.
Just change the ;/bin/sh; to |someprog.exe| and you can see the same
behavior. If there was a way to force a download without confirming the
sugfilename then this would be VERY dangerous as a redirection, but since
the user has to willingly confirm the action it is their fault IMHO.
> For example, the LYK_SHELL command on Unix uses system("exec $SHELL");
> and that works cleanly. The posted spoofing LYNXDOWNLOAD URL ends up
> with system("/bin/cp /dev/null;/bin/sh; /dev/null"); and it causes
> /dev/null to be replaced with a real, empty file (no longer symbolic)
> even though the account running Lynx doesn't have privileges to do that.
I just tried it as a straight user which failed to modify /dev/null. I
then tried it as root su'd as a user which DID modify /dev/null.
As to what is causing the file to change...I think this is where that
actually happens (from LYDownload.c):
/* see if we can write to it */
if ((fp = fopen(buffer,"w")) != NULL) {
fclose(fp);
remove(buffer);
} else {
HTAlert(CANNOT_WRITE_TO_FILE);
_statusline(NEW_FILENAME_PROMPT);
FirstRecall = TRUE;
FnameNum = FnameTotal;
goto retry;
}
> Also, the invoked shell has strange terminal characteristics, which you
> can almost but not quite clean up with ^Jstty sane^J^J. When I tried a
> spoofing URL which yields system("/bin/cp foo bar;exec $SHELL; bar");
> where foo exists so there is no cp error, it still gave me a shell with
> strange terminal characteristics.
Just conjecture, but it may just be the mode lynx leaves the keyboard in
that causes the strange terminal characteristics.
Wayne
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
- LYNX-DEV Alleged Lynx security emergency, Thomas Jones, 1997/06/30
- Re: LYNX-DEV Alleged Lynx security emergency, Jim Dennis, 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, H E Nelson, 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, Foteos Macrides, 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, Foteos Macrides, 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, Scott McGee (Personal), 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, H E Nelson, 1997/07/01