[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlo
|
From: |
Klaus Weide |
|
Subject: |
Re: lynx-dev [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x (fwd) |
|
Date: |
Thu, 2 Sep 1999 00:51:54 -0500 (CDT) |
On Wed, 1 Sep 1999, Marc Heuse wrote:
> Hi,
>
> this vulnerability was found some weeks ago ...
And apparently nobody thought of contacting lynx-dev about it, up to now.
> when ( - if - ) will be an
> security update available? thanks for your time.
See patch at end, should work for 2.8.2rel.1 and 2.8.3dev.N (*not* for
2.8.1 or earlier). I hope it will also be added to the 2.8.2 fixes in
<http://www.slcc.edu/lynx/release2-8-2/patches/>.
> ------------------
> lynx and telnet://
> ------------------
>
> Compromise: remote messing with files, maybe more?
>
> Lynx has a problem coming from calling external programs to handle
> protocols like telnet://. Example: attempt of viewing 'telnet://-n.rhosts'
> URL will result in empty, new and shiny .rhosts file. Unfortunately, as
> telnet client has session logging off by default, no idea how to put
> something there?
It should be emphasised that
- No way is known to fill the file automatically with content desired
by an intruder.
- Whether it works at all depends on the "telnet" binary used by the
system that is compiled into lynx (similarly for "tn3270", "rlogin").
If the command in question has no way to be told to create a tracefile
or other kind of file with a command line option, the problem does not
exist on that system.
- Only files in the current directory can be overwritten (since no '/'
are possible in the fake hostname). The current directory is the one
in which lynx was started.
- This attack will be visible to attentive users: (a) the URL for such a
link shows that something is wrong (and is visible on the statusline
if User Mode is set to Advanced), and (b) telnet will not establish
a connection, to the users gets a "telnet>" prompt and needs to do
something to proceed.
Users that are stuck with an older version can protect themselves by
one of the following. Better yet, ask the system admin to upgrade to
a fixed version.
- Start lynx from an empty directory you own, or at least from a
directory that contains no important files.
- Disable telnet, e.g. by using something like
`lynx -restrictions=inside_telnet,outside_telnet'
(could be an alias or wrapper script)
- Always check where a link leads to if you have no reason to trust
its source (i.e. the containing document).
Note that versions earlier than 2.8.2 may have additional and more severe
problems with "telnet:" (and "tn3270:" and "rlogin:") URLs, so upgrading to
at least 2.8.2 (or to later devel code if you wish) is recommended.
Klaus
*** lynx2-8-2.old/WWW/Library/Implementation/HTTCP.c Tue Jul 20 02:19:59 1999
--- lynx2-8-2/WWW/Library/Implementation/HTTCP.c Mon Aug 30 13:08:47 1999
***************
*** 314,319 ****
--- 314,320 ----
** - contains only valid chars for domain names (actually, the
** restrictions are somewhat relaxed),
** - no leading dots or empty segments,
+ ** - no segment starts with '-' or '+' [this protects telnet command],
** - max. length of dot-separated segment <= 63 (RFC 1034,1035),
** - total length <= 254 (if it ends with dot) or 253 (otherwise)
** [an interpretation of RFC 1034,1035, although RFC 1123
***************
*** 341,346 ****
--- 342,349 ----
iseg = 0;
continue;
}
+ } else if (iseg == 0 && (*cp == '-' || *cp == '+')) {
+ return NO;
} else if (++iseg > 63) {
return NO;
}
Diff finished at Wed Sep 1 08:02:00