[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV System Compromised via Lynx
From: |
Bela Lubkin |
Subject: |
Re: LYNX-DEV System Compromised via Lynx |
Date: |
Sun, 20 Apr 1997 20:16:37 -0700 |
Chuck Hamer wrote:
> I administer a unix system (hp9000 D-Class; HPUX 10.01) that functions
> both as a news server and as a system from which lynx can be run
> by students in campus libraries.
>
> I just discovered a ".crack" directory in the lynx client home
> directory. This directory contains the crack v4.1 package as well as
> a password file on which cracking had been attempted. Earlier this year
> I was contacted by a sys admin at Princeton University who said that
> several machines at Princeton had been compromised by a user on this
> same machine.
>
> What I am trying to figure out is how the person who created the
> .crack directory was able to do this.
>
> The situation:
>
> ---------- ---------------- ------------------
> | Terminal |---| Telnet Gateway |---LAN---| Lynx client host |
> ---------- ---------------- ------------------
>
> Students obtain access to lynx via a menu item on the telnet gateway.
> When they select lynx, the telnet gateway telnets to the lynx client
> host and logs in (login: l-client). The telnet gateway does all
> the telnet and login processing and the user receives a "homepage"
> via lynx.
>
> Note: The l-client account does not have a password. The system is
> set up such that when a user logs in, lynx is run instead of
> a shell. When the user quits lynx he is logged out of the
> system. I thought that this type of approach would prevent
> excaping to a shell.
Exactly how is this implemented? The problem may actually have nothing
to do with Lynx. There are ways to set up a secure account, and ways
that don't work, and you haven't given any real information on how you
did it.
> Another Note: There are NO user shell accounts on this system. The
> only non-system users are news (Usenet), l-client (lynx),
> g-client (gopher), and root. I should be the only user
> able to log in (as root) and obtain a shell account.
>
> What I'm trying to figure out is how a lynx user was able to escape
> to a shell and install crack on this machine. Since you are the
> lynx experts, I was hoping you might be able to provide some pointers.
If it *is* a Lynx problem, the first question is: what version of Lynx?
Second: how are you invoking it (what command-line arguments)? What
special measures have you taken in your lynx.cfg and .lynxrc, to prevent
shell escapes?
If you took no special measures, the answer is:
The user used your telnet mechanism, got into Lynx, then hit "!",
which gave him a shell prompt, Just Like It Was Supposed To.
>Bela<
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;