Lynx Remote Buffer Overflow BACKGROUND "Lynx is a fully-featured World Wide Web (WWW) client for users running cursor-addressable, character-cell display devices such as vt100 terminals, vt100 emulators running on Windows 95/NT or Macintoshes, or any other character-cell display. It will display Hypertext Markup Language (HTML) documents containing links to files on the local system, as well as files on remote systems running http, gopher, ftp, wais, nntp, finger, or cso/ph/qi servers, and services accessible via logins to telnet, tn3270 or rlogin accounts. Current versions of Lynx run on Unix, VMS, Windows95/NT, 386DOS and OS/2 EMX." (from the program's README file) Lynx is available in all popular Linux distributions and *BSD ports collections. More information can be found on the program's home page: http://lynx.isc.org/ BUG I have found a remote buffer overflow in Lynx. It occurs when a Lynx user selects malicious links or simply visits malicious URLs! When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow, with full control over EIP, EBX, EBP, ESI and EDI. Two attack vectors to make a victim visit a URL to a dangerous news server are: (a) *links in web pages*, where the victim visits some web page and selects a link on the page to a malicious URL, and (b) *redirecting scripts*, where the victim visits a URL and it redirects automatically to a malicious URL. Attack vector (a) is helped by the fact that Lynx does not automatically display where links lead to, unlike many graphical web browsers. A victim is in danger when his or her Lynx session is forced to visit a URL of the types "nntp://some.news.server/group.name"; or "news:group.name";, and the server that Lynx connects to must send back article headers with certain malicious data. It may be possible to make real news servers distribute such articles without technical problems, but that has not been tested. The vulnerable versions are at least 2.8.5, 2.8.6dev.13, 2.8.4 and 2.8.3. (2.8.2 is apparently also vulnerable to a slightly different attack.) The bug has the identifier CAN-2005-3120. TESTING AND PATCHING I have attached a malicious NNTP server that exhibits this problem. (As noted above, it might be possible to exploit this issue through legitimate news servers as well.) You just run this server, then you start Lynx with a URL of the type "nntp://malicious.server/group.name";, and Lynx will crash immediately. To test the attack vectors, I have also included a redirecting script and a web page with a link to a malicious server. Finally, I have attached a patch for this issue. It just stops copying when it comes close to the end of the array. The bug was reported to the Lynx developers and to the vendor-sec mailing list, and the 17th of October was agreed upon as the release date. // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/ [ I would love to audit free/open source software for a living, so please e-mail any job offers to: metaur@xxxxxxxxx ]
Attachment:
lynx-data.zip
Description: Zip archive