[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV Alleged Lynx security emergency
From: |
Jonathan Sergent |
Subject: |
Re: LYNX-DEV Alleged Lynx security emergency |
Date: |
Tue, 01 Jul 1997 15:30:49 -0500 |
Fote wrote:
] No. The vanilla code assumes that the value of File= will
] be that of its temporary file, and doesn't do anything with it. It
] cleans up the value of SugFile= as accepted or modified by the user
] at the prompt for an output filename.
I thought that was what I said. It's certainly what I thought [I
read through the fotemods LYDownload, the "vanilla" LYDownload,
and quote_pathname().]
] There seems to be more to it than what you and Wayne are claiming
] about it being equivalent to a script entered on the command line. For
] example, the LYK_SHELL command on Unix uses system("exec $SHELL"); and
] that works cleanly. The posted spoofing LYNXDOWNLOAD URL ends up with
] system("/bin/cp /dev/null;/bin/sh; /dev/null"); and it causes /dev/null
] to be replaced with a real, empty file (no longer symbolic) even though
] the account running Lynx doesn't have privileges to do that. Also, the
] invoked shell has strange terminal characteristics, which you can almost
] but not quite clean up with ^Jstty sane^J^J. When I tried a spoofing URL
] which yields system("/bin/cp foo bar;exec $SHELL; bar"); where foo
] exists so there is no cp error, it still gave me a shell with strange
] terminal characteristics.
The strange terminal characteristics are set by curses...
I was thinking along the lines of File=;/bin/sh;,
SugFile="hello my name is bob" [or whatever].
If you were a purist you could do File=;stty sane;/bin/sh;stty raw;
as well. [Haven't tried it, should work though]
As far as /dev/null disappearing, sol seems to be the
only machine on which people say this happens. I've tried it on
HP-UX and on Solaris 2.5 and it doesn't happen. I'd try it on 2.4
to prove that it wasn't the OS but the machine, but I no longer have
accounts on any hosts with 2.4 (they're all 2.5 or 2.3 at Purdue).
I suggest you check the permissions of the /dev directory itself
on sol, they should be 0755 obviously.
The code that Wayne pointed out must be what's killing /dev/null
for some of you. Having a writeable /dev/null directory is somewhat
dangerous...
] You're also confusing the File= value with the command for the
] download option based on the Method= value. In the case of -1, its
] COPY_PATH, defined in userdefs.h as /bin/cp (for the vanilla and
] fotemods code). In the case of 0 to n, its the command or script
] defined for DOWNLOADER: in lynx.cfg. The File= and "cleaned-up"
] SugFile= values follow those, to act as arguments for the command.
I realize that /bin/cp (for method<0) is different from the
downloader definitions, but I was saying that we can't get rid
of system() altogether because the downloaders (i guess the
printers too) still need it...
Still, I think the right way to fix this problem is:
execl("/bin/cp", File, SugFile, 0); /* Substitute proper variables. */
which doesn't start up an sh at any point in time if I'm not mistaken.
...
I wonder if any of the O)ptions or any environment variables [possibly
set via telnet / telnetd, read the manual page for info on how to do this]
can be modified to get a shell in a similar manner.
--jss.
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
- LYNX-DEV Alleged Lynx security emergency, Thomas Jones, 1997/06/30
- Re: LYNX-DEV Alleged Lynx security emergency, Jim Dennis, 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, H E Nelson, 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, Foteos Macrides, 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, Foteos Macrides, 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, Scott McGee (Personal), 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, H E Nelson, 1997/07/01
- Re: LYNX-DEV Alleged Lynx security emergency, H E Nelson, 1997/07/01