<<< Date Index >>>     <<< Thread Index >>>

Lynx Remote Buffer Overflow



Lynx Remote Buffer Overflow


BACKGROUND


"Lynx is a fully-featured World Wide Web (WWW) client for users
running cursor-addressable, character-cell display devices such
as vt100 terminals, vt100 emulators running on Windows 95/NT or
Macintoshes, or any other character-cell display. It will display
Hypertext Markup Language (HTML) documents containing links to files
on the local system, as well as files on remote systems running
http, gopher, ftp, wais, nntp, finger, or cso/ph/qi servers,
and services accessible via logins to telnet, tn3270 or rlogin
accounts. Current versions of Lynx run on Unix, VMS, Windows95/NT,
386DOS and OS/2 EMX."

(from the program's README file)

Lynx is available in all popular Linux distributions and *BSD ports
collections. More information can be found on the program's home
page:  http://lynx.isc.org/


BUG


I have found a remote buffer overflow in Lynx. It occurs when a
Lynx user selects malicious links or simply visits malicious URLs!

When Lynx connects to an NNTP server to fetch information about the
available articles in a newsgroup, it will call a function called
HTrjis() with the information from certain article headers. The
function adds missing ESC characters to certain data, to support
Asian character sets. However, it does not check if it writes outside
of the char array buf, and that causes a remote stack-based buffer
overflow, with full control over EIP, EBX, EBP, ESI and EDI.

Two attack vectors to make a victim visit a URL to a dangerous
news server are: (a) *links in web pages*, where the victim visits
some web page and selects a link on the page to a malicious URL,
and (b) *redirecting scripts*, where the victim visits a URL and
it redirects automatically to a malicious URL. Attack vector (a)
is helped by the fact that Lynx does not automatically display
where links lead to, unlike many graphical web browsers.

A victim is in danger when his or her Lynx session is forced to
visit a URL of the types "nntp://some.news.server/group.name"; or
"news:group.name";, and the server that Lynx connects to must send
back article headers with certain malicious data. It may be possible
to make real news servers distribute such articles without technical
problems, but that has not been tested.

The vulnerable versions are at least 2.8.5, 2.8.6dev.13, 2.8.4
and 2.8.3. (2.8.2 is apparently also vulnerable to a slightly
different attack.)

The bug has the identifier CAN-2005-3120.


TESTING AND PATCHING


I have attached a malicious NNTP server that exhibits this
problem. (As noted above, it might be possible to exploit
this issue through legitimate news servers as well.) You just
run this server, then you start Lynx with a URL of the type
"nntp://malicious.server/group.name";, and Lynx will crash
immediately.

To test the attack vectors, I have also included a redirecting
script and a web page with a link to a malicious server.

Finally, I have attached a patch for this issue. It just stops
copying when it comes close to the end of the array.

The bug was reported to the Lynx developers and to the vendor-sec
mailing list, and the 17th of October was agreed upon as the
release date.


// Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/

[ I would love to audit free/open source software for a living, so
  please e-mail any job offers to: metaur@xxxxxxxxx ]

Attachment: lynx-data.zip
Description: Zip archive