Draft CERT bulletin (was Re: LYNX-DEV security.html)

[Jim Spath (Webmaster Jim)]

On Mon, 7 Jul 1997, Jonathan Sergent wrote:

> Fote's version is better than the one at the URL I posted earlier,
> so I'm getting rid of that one.  Subir should probably pick a
> copy of it up.
> 
> Does anyone have any opinions as to what email address should be
> listed at the bottom?  It seems like LYNX-DEV would be appropriate
> but we don't want security info going into the bit bucket for non-
> subscribers.

Yes, use lynx-dev...  I've reformatted the above html a bit so it can be
distributed as text CERT bulletins.  Please review the *two* parts below
before I pass them on to CERT (I've appointed myself go-between :0) 

=========================================================================

I. Description

Lynx will follow symlinks in /tmp when opening temp files.  All systems that
support symlinks are vulnerable.

Installed versions of Lynx where the /tmp directory is used to store files
during download are vulnerable.  The filename Lynx chooses can be predicted,
and another user on the system may be able to exploit a race condition to
replace the temporary file with a symbolic link (or any other file).


II. Impact

A malicious user with access to the same machine as other Lynx users may be
able to cause another user's Lynx process to overwrite another file on the
system (in the user's home directory, for example). The file overwritten
could potentially be one containing important information or a file such as
.rhosts (if the file being downloaded was rigged correctly, the attacker
could log in to the account without a password) or .profile (causing possibly
dangerous commands to be executed by the user when he/she next logs in).


III. Workaround

Sites which are concerned with this problem are advised to change the setting
of TEMP_SPACE from the default ("/tmp") to "~" to cause temporary files to
be put in the user's home directory. This may cause problems for users with
unwriteable home directories (such as captive or public accounts) or users
with low quotas. This may be done in two ways:

1. Lynx can be rebuilt with the "#define TEMP_SPACE" in
   lynx2-7-1/userdefs.h changed from "/tmp" to "~".

2. The LYNX_TEMP_SPACE environment variable may be set before
   shell startup files (.profile, .cshrc, or equivalent) or into
   the system profile (/etc/profile or equivalent).

Individual users may also set the LYNX_TEMP_SPACE environment variable to
point to another place known to be unwriteable by other users (for instance
a subdirectory of the users' home directory, or a mode 0700 directory of a
"sticky" /tmp).

Solution

The next release of Lynx will contain a permanent (and complete) fix to this
problem.

References

1.  http://www.tryc.on.ca/hypermail/security.11/0004.html
2.  http://www.flora.org/lynx-dev/html/month0597/msg00501.html

Contact

If you believe you have found a security problem with lynx that is not
listed here, please forward it to <address@hidden>.


=======================================================================
I. Description

Lynx will allow a user to substitute arbitrary filenames during a download,
so that users could read or write files on write systems that would
otherwise not be available.

Installed versions of Lynx where anonymous users can execute the Lynx
binary and issue the "GOTO URL" command are vulnerable.


II. Impact

This allows users of Lynx in a captive situation (where the Lynx user does
not normally have access to a shell prompt, or to a menu system that allows
the user to run arbitrary commands) to get access to a shell prompt. This
includes public Lynxes as well as situations in which users are restricted
to a menu interface of some sort with Lynx.

This vulnerability can be exploited by anyone who can provide Lynx a carefully
crafted URL. This can be done from the G'oto prompt, or by activating the
URL on a world wide web page. The user can launch a shell on the machine
running Lynx.

This could also conceivably allow malicious webmasters to add these carefully
crafted URLs to their pages to cause unsuspecting Lynx users (in captive
accounts or otherwise) to execute arbitrary commands.

Workaround

Administrators of captive Lynxes are advised to disable g'oto on their Lynxes
till a final patch set to fix this problem is available. This does not
disallow the user from selecting a pseudo-URL of the proper form that someone
has added inside an anchor on another page.


Solution

Lynx2-7-1 can be patched to fix the obvious hole.  Two later versions of Lynx
(Fotemods and autoconfigure-0.30) are already patched.  Current versions of
Lynx can be found at:

http://www.slcc.edu/lynx/fote/
http://www.slcc.edu/lynx/current/

References

http://www.flora.org/lynx-dev/html/month0697/msg00250.html
http://www.flora.org/lynx-dev/html/month0697/msg00234.html

Contact

If you believe you have found a security problem with Lynx that is not
listed here, please forward it to <address@hidden>.

======================================================================

------
<http://www.cs.indiana.edu/picons/db/users/us/md/lib/bcpl/jspath/face.xbm>
Marvin the Paranoid Android says:
How do you think I feel?

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;