Published:
15 July 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-97.088 -- CERT Vendor-Initiated Bulletin VB-97.06 Vulnerability in Lynx Downloading 16 July 1997 =========================================================================== The CERT Coordination Center has released the following advisory concerning a vulnerability in the Lynx program. This vulnerability may allow local and remote users to execute arbitary commands with the privileges of the user of Lynx. The following security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write this document, AUSCERT has had no control over its content. As such, the decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. Contact information for this bulletin is included in the Security Bulletin below. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/information/advisories.html If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Vendor-Initiated Bulletin VB-97.06 July 15, 1997 Topic: Vulnerability in Lynx Downloading Source: Jim Spath To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Jim Spath, who coordinated this bulletin with several members of the lynx-dev mailing list. They urge you to act on this information as soon as possible. Contact information is included in the forwarded text below; please contact them if you have any questions or need further information. Questions about the bulletin only can be sent to Jim Spath <jspath@mail.bcpl.lib.md.us>; questions about Lynx can be sent to <lynx-dev@sig.net>. =======================FORWARDED TEXT STARTS HERE============================ I. Description Lynx, on Un*x systems, may be coerced to read or execute arbitrary files on the local system regardless of restrictions set by the system administrator. Installed versions of Lynx up to and including version 2.7.1 on Unix or Unix-like operating systems are vulnerable. II. Impact A. Captive Lynx installations Users of Lynx in a captive situation (where the Lynx user does not normally have access to a shell prompt, or to a menu system that allows the user to run arbitrary commands) can get access to a shell prompt. This includes public Lynxes as well as any setup where the user is restricted as to which programs can be run. B. All Lynx installations This vulnerability could also conceivably allow malicious webmasters to add these carefully crafted URLs to their pages to cause unsuspecting Lynx users (in captive accounts or otherwise) to execute arbitrary commands. This vulnerability can be exploited by anyone who can provide Lynx a carefully crafted URL. III. Workaround If administrators of captive Lynxes cannot apply the code patches or obtain updated binaries as described below, they are advised to disable (g)oto on Lynx. There is currently no workaround for impact "B" above. The code patches below must be applied (or updated binaries obtained) to eliminate this impact. IV. Solution Current developmental releases of Lynx have fixed this problem since 1997-06-26. Patches you may find from before that date may not entirely eliminate the vulnerability. The most recent stable version of Lynx (version 2.7.1) can be patched to fix this problem by replacing the file "lynx2-7-1/src/LYDownload.c" with a replacement file. The replacement file to eliminate this vulnerability in version 2.7.1 is available (courtesy of Foteos Macrides) at: http://www.slcc.edu/lynx/fote/patches/lynx2-7-1/src/LYDownload.c All systems running Lynx versions 2.7.1 or earlier should be updated to fix this problem. Two development branches of the Lynx source code are available at: http://www.slcc.edu/lynx/fote/patches/ http://www.slcc.edu/lynx/current/ Binary distributions of Lynx may be found at: http://www.crl.com/~subir/lynx/binaries.html Note that producing binaries is a volunteer job and the latest (or any) version may not be available for a specific platform. V. Contact information If you believe you have found a security problem with the current version of Lynx, we urge you to forward it to the LYNX-DEV mailing list at <lynx-dev@sig.net>. The LYNX-DEV mailing list (with further information about this vulnerability) is archived at: http://www.flora.org/lynx-dev/ Lynx security information is available at: http://www.crl.com/~subir/lynx/security.html General information about Lynx is available at: http://lynx.browser.org/ On-line help and documentation about Lynx is available using the (h)elp command. More help is available in the source distribution. Should your questions not be answered by these means, further questions may be directed to <help@lynx.browser.org>. Please don't contact Lynx developers personally about Lynx-related issues; please use either the mailing list or the "help" addresses given above. ========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). See http://www.first.org/team-info/. We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address * Registered U.S. Patent and Trademark Office. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U. S. Department of Defense. This file: ftp://info.cert.org/pub/cert_bulletins/VB-97.06.lynx - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM8rJhnVP+x0t4w7BAQHskQQArmcmdCDLV3Rhj1r6AjeBdke3hlWIKKgP yzcfFFSRmOhG3D7TCJBMExE0qJ9zJZdbflt4Hss+LijNqdpdd5/BaUsaSHT2Mte4 SoaQbZol/bhJ9MsNvgcf0UtzHEo8M4unKTNrc9V+qtfvqQmsAHGJPWim6QwWD/Xa xaNFCD53yzA= =PmnA - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBM8y2nyh9+71yA2DNAQFm3gP/bD6IHUeW59/x+rrXR7Olywy6NABSjL8x qSd2yLbZ0oQtvxIVZc4tJ1+/0gm0F4PMcEs0Zt3RvW5ZNCO2YmzWWA4uaso4hOly Dyy3x3GMLoPg6Uvb6NdzCmTKdunatqoWHU9M6BYvRtCdcYAK4N9AjnRVixxMjpAV +jw40da7whg= =qFLX -----END PGP SIGNATURE-----