Multiple Vendor Lynx Command Injection Vulnerability iDEFENSE Security Advisory XX.XX.05 www.idefense.com/application/poi/display?type=vulnerabilities MMM DD, 2005 I. BACKGROUND Lynx is a fully-featured WWW client for users running cursor- addressable, character-cell display devices such as vt100 terminals and terminal emulators. Lynx support a number of protocols including HTTP, HTTPS, gopher, FTP, WAIS, NNTP, finger or cso/ph/qi servers, and services accessible via log ons to telnet, tn3270 or rlogin accounts. II. DESCRIPTION Remote exploitation of a command injection vulnerability in various vendors' implementations of Lynx could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. The handler is generally intended to be restricted to a specific directory or program(s). However, due to a configuration error on multiple platforms, the default settings allow for arbitrary websites to specify commands to run as the user running Lynx. III. ANALYSIS Successful exploitation of the described vulnerability allows remote attackers to execute arbitrary commands with the privileges of the underlying user. Exploitation requires that an attacker convince a target user to follow a malicious link from within a vulnerable version of Lynx. The "lynxexec" and "lynxprog" URI handlers can also be used to trigger the issue. However, they are rarely compiled into the Lynx binary. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in the latest stable release of Lynx, version 2.8.5. It is suspected that earlier versions are also affected. The following vendors include susceptible Lynx packages within their respective distributions: * Red Hat Inc. * Gentoo Foundation Inc. * Mandriva SA Other vendors are suspected as also being vulnerable. The following vendors include Lynx packages that are not susceptible to exploitation as the "lynxcgi" feature is not compiled into Lynx by default: * The FreeBSD Project * OpenBSD V. WORKAROUND Disable "lynxcgi" links by specifying the following directive in lynx.cfg: TRUSTED_LYNXCGI:none VI. VENDOR RESPONSE [Quoted vendor response if available. Otherwise include vendor fix details.] VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-XXXX to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. [OR] A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 09/08/2005 Initial vendor notification XX/XX/2005 Initial vendor response XX/XX/2005 Coordinated public disclosure IX. CREDIT vade79 (http://fakehalo.us) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email address@hidden for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.