lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV Alleged Lynx security emergency

From: Wayne Buttles
Subject: Re: LYNX-DEV Alleged Lynx security emergency
Date: Tue, 1 Jul 1997 14:28:43 -0400 (EDT) 

On Tue, 1 Jul 1997, Foteos Macrides wrote:

> Wayne's posted patch ...

I don't remember posting any patch, although I have always wondered if I
had multiple personalities that were virtually the same...that would
explain the lack of short term memory ;-)

>       There seems to be more to it than what you and Wayne are claiming
> about it being equivalent to a script entered on the command line.  

This error can effect DOS, so mix that into the equation as you see fit.
Just change the ;/bin/sh; to |someprog.exe| and you can see the same
behavior.  If there was a way to force a download without confirming the
sugfilename then this would be VERY dangerous as a redirection, but since
the user has to willingly confirm the action it is their fault IMHO. 

> For example, the LYK_SHELL command on Unix uses system("exec $SHELL"); 
> and that works cleanly.  The posted spoofing LYNXDOWNLOAD URL ends up
> with system("/bin/cp /dev/null;/bin/sh; /dev/null");  and it causes
> /dev/null to be replaced with a real, empty file (no longer symbolic)
> even though the account running Lynx doesn't have privileges to do that. 

I just tried it as a straight user which failed to modify /dev/null.  I
then tried it as root su'd as a user which DID modify /dev/null.

As to what is causing the file to change...I think this is where that
actually happens (from LYDownload.c): 

        /* see if we can write to it */
        if ((fp = fopen(buffer,"w")) != NULL) {
            fclose(fp);
            remove(buffer);
        } else {
            HTAlert(CANNOT_WRITE_TO_FILE);
            _statusline(NEW_FILENAME_PROMPT);
            FirstRecall = TRUE;
            FnameNum = FnameTotal;
            goto retry;
        }


> Also, the invoked shell has strange terminal characteristics, which you
> can almost but not quite clean up with ^Jstty sane^J^J.  When I tried a
> spoofing URL which yields system("/bin/cp foo bar;exec $SHELL; bar"); 
> where foo exists so there is no cp error, it still gave me a shell with
> strange terminal characteristics. 

Just conjecture, but it may just be the mode lynx leaves the keyboard in
that causes the strange terminal characteristics.

Wayne

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]