Ulf Harnhammar
17/10/05, 23:45
--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Lynx Remote Buffer Overflow
BACKGROUND
"Lynx is a fully-featured World Wide Web (WWW) client for users
running cursor-addressable, character-cell display devices such
as vt100 terminals, vt100 emulators running on Windows 95/NT or
Macintoshes, or any other character-cell display. It will display
Hypertext Markup Language (HTML) documents containing links to files
on the local system, as well as files on remote systems running
http, gopher, ftp, wais, nntp, finger, or cso/ph/qi servers,
and services accessible via logins to telnet, tn3270 or rlogin
accounts. Current versions of Lynx run on Unix, VMS, Windows95/NT,
386DOS and OS/2 EMX."
(from the program's README file)
Lynx is available in all popular Linux distributions and *BSD ports
collections. More information can be found on the program's home
page: http://lynx.isc.org/
BUG
I have found a remote buffer overflow in Lynx. It occurs when a
Lynx user selects malicious links or simply visits malicious URLs!
When Lynx connects to an NNTP server to fetch information about the
available articles in a newsgroup, it will call a function called
HTrjis() with the information from certain article headers. The
function adds missing ESC characters to certain data, to support
Asian character sets. However, it does not check if it writes outside
of the char array buf, and that causes a remote stack-based buffer
overflow, with full control over EIP, EBX, EBP, ESI and EDI.
Two attack vectors to make a victim visit a URL to a dangerous
news server are: (a) *links in web pages*, where the victim visits
some web page and selects a link on the page to a malicious URL,
and (b) *redirecting scripts*, where the victim visits a URL and
it redirects automatically to a malicious URL. Attack vector (a)
is helped by the fact that Lynx does not automatically display
where links lead to, unlike many graphical web browsers.
A victim is in danger when his or her Lynx session is forced to
visit a URL of the types "nntp://some.news.server/group.name" or
"news:group.name", and the server that Lynx connects to must send
back article headers with certain malicious data. It may be possible
to make real news servers distribute such articles without technical
problems, but that has not been tested.
The vulnerable versions are at least 2.8.5, 2.8.6dev.13, 2.8.4
and 2.8.3. (2.8.2 is apparently also vulnerable to a slightly
different attack.)
The bug has the identifier CAN-2005-3120.
TESTING AND PATCHING
I have attached a malicious NNTP server that exhibits this
problem. (As noted above, it might be possible to exploit
this issue through legitimate news servers as well.) You just
run this server, then you start Lynx with a URL of the type
"nntp://malicious.server/group.name", and Lynx will crash
immediately.
To test the attack vectors, I have also included a redirecting
script and a web page with a link to a malicious server.
Finally, I have attached a patch for this issue. It just stops
copying when it comes close to the end of the array.
The bug was reported to the Lynx developers and to the vendor-sec
mailing list, and the 17th of October was agreed upon as the
release date.
// Ulf Harnhammar for the Debian Security Audit Project
http://www.debian.org/security/audit/
[ I would love to audit free/open source software for a living, so
please e-mail any job offers to: metaur@telia.com ]
--4Ckj6UjgE2iN1+kY
Content-Type: application/zip
Content-Disposition: attachment; filename="lynx-data.zip"
Content-Transfer-Encoding: base64
UEsDBBQAAAAIADeqUDOt9UvDawAAAIYAAAAJABUAbGluay5odG 1sVVQJAANap1JDtqdSQ1V4
BADoA+gDLY1LDsIwDET3OUXoAeI9crPhJIYaEuG4KDGU3p6gdD Waj95gsiLRYWJaulg24Si7
fr1xM4QROIQxcHhdl7178qnyfZ5U7XUGKCT5ltd3C8pbC43rhy uQWCB9NJvipfdPX/iEQH/c
gYFx/wNQSwMEFAAAAAgAN6pQMy7FqIrAAwAAdggAABMAFQBseW54LW5 udHAtc2VydmVyLnBs
VVQJAANap1JDu6dSQ1V4BADoA+gDlVVtc+I2EP7uX7EhzNjkzr xN+XAmYULvaI7OARkInU5L
eyOMiNWzJUeSE0hCfntXsnlJm2tSPAzW6tl99p3jo1qmZG3OeC 2lMgbfd5xjiNd85XOuU19R
eUsliuZrmMZL+Ewkj0iSEAmMQ7Neb+FdHyIqKSLSmIQUdMQUpF JcS5IYlI4opNk8ZiEsREIY
rzpOpigoLVmo2/a9PwqCiQi/UTw7ZQMKglRIDWfQaHxob0WaJVRkRtpCHFKfnJzAZPrjeDS9
6g97E3NGucrmkKwV5QuvXK44Dw7gEcpLFlNUVRFbIk0uQyf2Ip SlknFdQEvmdsZL7Z28NOkN
rwKA3cUGjmHPtqOWNKTslnqvkDOeWlJ6S2L8MVCAWIQkhvKkf/HQ/TIebIwSGn2ABUOXSExk
gtSwaVu0PcPz9OQ3xjrqnlrmziG6bg4by8yW4JXPgd7sLVeQqt B13fY28Kv+oPcJMM0mbNg4
W/tPoGVtVm+08Nuc1ev1Wm1xkK9x72Ov/0vvU5Dji2Tmge9zV6RrV9FBtz+Ey/HoYt***CXd
pjFvSPRt3zFBgKW/8juc3nlwKYUWJlQ464Crw9R9byN//fPF5P3S9lwHDlrwzfpMacoL5slo
0P3142g4fKv2mJoxKLQbFZMlW++QcFeDohqyFPLgj0z5Mx5Tpb b5MMMAcBeZHvNMmsKYUW7m
pAD4HRKGNNVepbJrtAKEV5kWyzhTkZcTb6vnhoJzGmomOCylSM Ct7nRSSmUklK6WbE0dq7ad
uRz0HlxcENDnmkqOAQzpnXILAuPjtRSZ7TIS6yrh10q77dzOQS D5fB5MVG7bhrENpGhjC32C
pPZnIhYUJCULKss1VilAD7tSvN1P8+F0pbenjfMyYx6L97v/tUr8+67/W93/8Me7yovsu8DL
jfZ3XSo1Gw3Inxxf+p8e3WRMvzX4FlwIsZiv6WHYMVGvkkSYY4 z6P4I1NaS3LDZ1Lp9Pp97P
06kLK2g22jj+vQXT9v+BZ8kcO3ufI6tTRSWL9lr1H8CHmPJrHe WXlbbzjMS6guvu9HNv3Gs7
zSYmrgGnq/X9/Xp2jsOFpa3erDrOJdFRAKZ3j5TAfYn0tpOPBKeJkNS8Oz9huwd wmsivmsTf
iMbWe2Zkks3/wskIcl8c0zK2SkFRLWeA00muqd/H1feCE1XHuLmPoHD/CdTjTL0rPz6q77eG
xb7***+qcgtbfLLmmqygJ6WQ21KbLZzPG5b1bD9oxZzl9sJY4H YqjB2uiJK9Wcy4eexu39vL
0Wf/XEDOxvkbUEsDBBQAAAAIADeqUDP1WZElagEAAH0CAAATABUAbH lueC5zZWN1cml0eS5w
YXRjaFVUCQADWqdSQ76nUkNVeAQA6APoA41R20rDQBB9Tr7iCN JctttsNkZNY6BWii1EEa30
oRZJNZVUm4YkPhTbf3c3iYqg4rDL3M8wZyilmEwmVpjM8yjfWK NV9hKv4rSMymSdWsPxxehi
0HnorF8eFc7YAWU2ZcdgTlc+r8M+BITZjKmEkP/gSSyXMo9yF/ZRl7tdxjsHnud63D2UWCKv
9nqgnDusfQTSaBG6uu2HozMkaYnhOF8mBU6vz2+4rkKBkKLMH7 KNXrZRGL6I5XH5mqewhS1l
p1KpFusceoYA89eFD7PwYeBNJT+l0Gohw4l0QRCOLgf34eDyfD wExXHdByVZQN97jtJlIsuL
KZshCKDta9LVi6ld+z0N2y0+3b5m1O1yroQYjlfRZh5XQLouVj SKKZ+10ZjOrKlX6lGBXKtm
yXVqlir9N0s78c1M3CkQ2xHynRgzq8K+Ypko43yVpFEZS1KT9A mmVVNUFWl3TPu1DDXo1zEE
e0YzqbkI89V3UEsDBAoAAAAAADeqUDOjCw65RwAAAEcAAAAJAB UAcmVkaXIucGhwVVQJAANa
p1JDyKdSQ1V4BADoA+gDPD9waHAKCmhlYWRlcignTG9jYXRpb2 46IG5udHA6Ly9tYWxpY2lv
dXMubmV3cy5zZXJ2ZXIvYWx0LmFuZ3N0Jyk7Cgo/PgpQSwECFwMUAAAACAA3qlAzrfVLw2sA
AACGAAAACQANAAAAAAABAAAAgIEAAAAAbGluay5odG1sVVQFAA Nap1JDVXgAAFBLAQIXAxQA
AAAIADeqUDMuxaiKwAMAAHYIAAATAA0AAAAAAAEAAADAgacAAA BseW54LW5udHAtc2VydmVy
LnBsVVQFAANap1JDVXgAAFBLAQIXAxQAAAAIADeqUDP1WZElag EAAH0CAAATAA0AAAAAAAEA
AACAga0EAABseW54LnNlY3VyaXR5LnBhdGNoVVQFAANap1JDVX gAAFBLAQIXAwoAAAAAADeq
UDOjCw65RwAAAEcAAAAJAA0AAAAAAAEAAACAgV0GAAByZWRpci 5waHBVVAUAA1qnUkNVeAAA
UEsFBgAAAAAEAAQAJAEAAOAGAAAAAA==
--4Ckj6UjgE2iN1+kY--
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Lynx Remote Buffer Overflow
BACKGROUND
"Lynx is a fully-featured World Wide Web (WWW) client for users
running cursor-addressable, character-cell display devices such
as vt100 terminals, vt100 emulators running on Windows 95/NT or
Macintoshes, or any other character-cell display. It will display
Hypertext Markup Language (HTML) documents containing links to files
on the local system, as well as files on remote systems running
http, gopher, ftp, wais, nntp, finger, or cso/ph/qi servers,
and services accessible via logins to telnet, tn3270 or rlogin
accounts. Current versions of Lynx run on Unix, VMS, Windows95/NT,
386DOS and OS/2 EMX."
(from the program's README file)
Lynx is available in all popular Linux distributions and *BSD ports
collections. More information can be found on the program's home
page: http://lynx.isc.org/
BUG
I have found a remote buffer overflow in Lynx. It occurs when a
Lynx user selects malicious links or simply visits malicious URLs!
When Lynx connects to an NNTP server to fetch information about the
available articles in a newsgroup, it will call a function called
HTrjis() with the information from certain article headers. The
function adds missing ESC characters to certain data, to support
Asian character sets. However, it does not check if it writes outside
of the char array buf, and that causes a remote stack-based buffer
overflow, with full control over EIP, EBX, EBP, ESI and EDI.
Two attack vectors to make a victim visit a URL to a dangerous
news server are: (a) *links in web pages*, where the victim visits
some web page and selects a link on the page to a malicious URL,
and (b) *redirecting scripts*, where the victim visits a URL and
it redirects automatically to a malicious URL. Attack vector (a)
is helped by the fact that Lynx does not automatically display
where links lead to, unlike many graphical web browsers.
A victim is in danger when his or her Lynx session is forced to
visit a URL of the types "nntp://some.news.server/group.name" or
"news:group.name", and the server that Lynx connects to must send
back article headers with certain malicious data. It may be possible
to make real news servers distribute such articles without technical
problems, but that has not been tested.
The vulnerable versions are at least 2.8.5, 2.8.6dev.13, 2.8.4
and 2.8.3. (2.8.2 is apparently also vulnerable to a slightly
different attack.)
The bug has the identifier CAN-2005-3120.
TESTING AND PATCHING
I have attached a malicious NNTP server that exhibits this
problem. (As noted above, it might be possible to exploit
this issue through legitimate news servers as well.) You just
run this server, then you start Lynx with a URL of the type
"nntp://malicious.server/group.name", and Lynx will crash
immediately.
To test the attack vectors, I have also included a redirecting
script and a web page with a link to a malicious server.
Finally, I have attached a patch for this issue. It just stops
copying when it comes close to the end of the array.
The bug was reported to the Lynx developers and to the vendor-sec
mailing list, and the 17th of October was agreed upon as the
release date.
// Ulf Harnhammar for the Debian Security Audit Project
http://www.debian.org/security/audit/
[ I would love to audit free/open source software for a living, so
please e-mail any job offers to: metaur@telia.com ]
--4Ckj6UjgE2iN1+kY
Content-Type: application/zip
Content-Disposition: attachment; filename="lynx-data.zip"
Content-Transfer-Encoding: base64
UEsDBBQAAAAIADeqUDOt9UvDawAAAIYAAAAJABUAbGluay5odG 1sVVQJAANap1JDtqdSQ1V4
BADoA+gDLY1LDsIwDET3OUXoAeI9crPhJIYaEuG4KDGU3p6gdD Waj95gsiLRYWJaulg24Si7
fr1xM4QROIQxcHhdl7178qnyfZ5U7XUGKCT5ltd3C8pbC43rhy uQWCB9NJvipfdPX/iEQH/c
gYFx/wNQSwMEFAAAAAgAN6pQMy7FqIrAAwAAdggAABMAFQBseW54LW5 udHAtc2VydmVyLnBs
VVQJAANap1JDu6dSQ1V4BADoA+gDlVVtc+I2EP7uX7EhzNjkzr xN+XAmYULvaI7OARkInU5L
eyOMiNWzJUeSE0hCfntXsnlJm2tSPAzW6tl99p3jo1qmZG3OeC 2lMgbfd5xjiNd85XOuU19R
eUsliuZrmMZL+Ewkj0iSEAmMQ7Neb+FdHyIqKSLSmIQUdMQUpF JcS5IYlI4opNk8ZiEsREIY
rzpOpigoLVmo2/a9PwqCiQi/UTw7ZQMKglRIDWfQaHxob0WaJVRkRtpCHFKfnJzAZPrjeDS9
6g97E3NGucrmkKwV5QuvXK44Dw7gEcpLFlNUVRFbIk0uQyf2Ip SlknFdQEvmdsZL7Z28NOkN
rwKA3cUGjmHPtqOWNKTslnqvkDOeWlJ6S2L8MVCAWIQkhvKkf/HQ/TIebIwSGn2ABUOXSExk
gtSwaVu0PcPz9OQ3xjrqnlrmziG6bg4by8yW4JXPgd7sLVeQqt B13fY28Kv+oPcJMM0mbNg4
W/tPoGVtVm+08Nuc1ev1Wm1xkK9x72Ov/0vvU5Dji2Tmge9zV6RrV9FBtz+Ey/HoYt***CXd
pjFvSPRt3zFBgKW/8juc3nlwKYUWJlQ464Crw9R9byN//fPF5P3S9lwHDlrwzfpMacoL5slo
0P3142g4fKv2mJoxKLQbFZMlW++QcFeDohqyFPLgj0z5Mx5Tpb b5MMMAcBeZHvNMmsKYUW7m
pAD4HRKGNNVepbJrtAKEV5kWyzhTkZcTb6vnhoJzGmomOCylSM Ct7nRSSmUklK6WbE0dq7ad
uRz0HlxcENDnmkqOAQzpnXILAuPjtRSZ7TIS6yrh10q77dzOQS D5fB5MVG7bhrENpGhjC32C
pPZnIhYUJCULKss1VilAD7tSvN1P8+F0pbenjfMyYx6L97v/tUr8+67/W93/8Me7yovsu8DL
jfZ3XSo1Gw3Inxxf+p8e3WRMvzX4FlwIsZiv6WHYMVGvkkSYY4 z6P4I1NaS3LDZ1Lp9Pp97P
06kLK2g22jj+vQXT9v+BZ8kcO3ufI6tTRSWL9lr1H8CHmPJrHe WXlbbzjMS6guvu9HNv3Gs7
zSYmrgGnq/X9/Xp2jsOFpa3erDrOJdFRAKZ3j5TAfYn0tpOPBKeJkNS8Oz9huwd wmsivmsTf
iMbWe2Zkks3/wskIcl8c0zK2SkFRLWeA00muqd/H1feCE1XHuLmPoHD/CdTjTL0rPz6q77eG
xb7***+qcgtbfLLmmqygJ6WQ21KbLZzPG5b1bD9oxZzl9sJY4H YqjB2uiJK9Wcy4eexu39vL
0Wf/XEDOxvkbUEsDBBQAAAAIADeqUDP1WZElagEAAH0CAAATABUAbH lueC5zZWN1cml0eS5w
YXRjaFVUCQADWqdSQ76nUkNVeAQA6APoA41R20rDQBB9Tr7iCN JctttsNkZNY6BWii1EEa30
oRZJNZVUm4YkPhTbf3c3iYqg4rDL3M8wZyilmEwmVpjM8yjfWK NV9hKv4rSMymSdWsPxxehi
0HnorF8eFc7YAWU2ZcdgTlc+r8M+BITZjKmEkP/gSSyXMo9yF/ZRl7tdxjsHnud63D2UWCKv
9nqgnDusfQTSaBG6uu2HozMkaYnhOF8mBU6vz2+4rkKBkKLMH7 KNXrZRGL6I5XH5mqewhS1l
p1KpFusceoYA89eFD7PwYeBNJT+l0Gohw4l0QRCOLgf34eDyfD wExXHdByVZQN97jtJlIsuL
KZshCKDta9LVi6ld+z0N2y0+3b5m1O1yroQYjlfRZh5XQLouVj SKKZ+10ZjOrKlX6lGBXKtm
yXVqlir9N0s78c1M3CkQ2xHynRgzq8K+Ypko43yVpFEZS1KT9A mmVVNUFWl3TPu1DDXo1zEE
e0YzqbkI89V3UEsDBAoAAAAAADeqUDOjCw65RwAAAEcAAAAJAB UAcmVkaXIucGhwVVQJAANa
p1JDyKdSQ1V4BADoA+gDPD9waHAKCmhlYWRlcignTG9jYXRpb2 46IG5udHA6Ly9tYWxpY2lv
dXMubmV3cy5zZXJ2ZXIvYWx0LmFuZ3N0Jyk7Cgo/PgpQSwECFwMUAAAACAA3qlAzrfVLw2sA
AACGAAAACQANAAAAAAABAAAAgIEAAAAAbGluay5odG1sVVQFAA Nap1JDVXgAAFBLAQIXAxQA
AAAIADeqUDMuxaiKwAMAAHYIAAATAA0AAAAAAAEAAADAgacAAA BseW54LW5udHAtc2VydmVy
LnBsVVQFAANap1JDVXgAAFBLAQIXAxQAAAAIADeqUDP1WZElag EAAH0CAAATAA0AAAAAAAEA
AACAga0EAABseW54LnNlY3VyaXR5LnBhdGNoVVQFAANap1JDVX gAAFBLAQIXAwoAAAAAADeq
UDOjCw65RwAAAEcAAAAJAA0AAAAAAAEAAACAgV0GAAByZWRpci 5waHBVVAUAA1qnUkNVeAAA
UEsFBgAAAAAEAAQAJAEAAOAGAAAAAA==
--4Ckj6UjgE2iN1+kY--