From labs-no-reply@idefense.com Fri Nov 11 11:47:02 2005 From: "labs-no-reply@idefense.com" To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk Date: Fri, 11 Nov 2005 11:45:05 -0500 Subject: [Full-disclosure] iDefense Security Advisory 11.11.05: Multiple Vendor Lynx Command Injection Vulnerability Multiple Vendor Lynx Command Injection Vulnerability iDefense Security Advisory 11.11.05 www.idefense.com/application/poi/display?id=338&type=vulnerabilities November 11, 2005 I. BACKGROUND Lynx is a fully-featured WWW client for users running cursor- addressable, character-cell display devices such as vt100 terminals and terminal emulators. Lynx support a number of protocols including HTTP, HTTPS, gopher, FTP, WAIS, NNTP, finger or cso/ph/qi servers, and services accessible via logons to telnet, tn3270 or rlogin accounts. II. DESCRIPTION Remote exploitation of a command injection vulnerability in various vendors' implementations of Lynx could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. The handler is generally intended to be restricted to a specific directory or program(s). However, due to a configuration error on multiple platforms, the default settings allow for arbitrary websites to specify commands to run as the user running Lynx. III. ANALYSIS Successful exploitation of the described vulnerability allows remote attackers to execute arbitrary commands with the privileges of the underlying user. Exploitation requires that an attacker convince a target user to follow a malicious link from within a vulnerable version of Lynx. The "lynxexec" and "lynxprog" URI handlers can also be used to trigger the issue. However, they are rarely compiled into the Lynx binary. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in the latest stable release of Lynx, version 2.8.5. It is suspected that earlier versions are also affected. The following vendors include susceptible Lynx packages within their respective distributions: * Red Hat Inc. * Gentoo Foundation Inc. * Mandriva SA Other vendors are suspected as also being vulnerable. The following vendors include Lynx packages that are not susceptible to exploitation as the "lynxcgi" feature is not compiled into Lynx by default: * The FreeBSD Project * OpenBSD V. WORKAROUND Disable "lynxcgi" links by specifying the following directive in lynx.cfg: TRUSTED_LYNXCGI:none VI. VENDOR RESPONSE Development version 2.8.6dev.15 has been released to address this issue and is available from the following URLs: http://lynx.isc.org/current/lynx2.8.6dev.15.tar.Z http://lynx.isc.org/current/lynx2.8.6dev.15.tar.bz2 http://lynx.isc.org/current/lynx2.8.6dev.15.tar.gz http://lynx.isc.org/current/lynx2.8.6dev.15.zip Alternately, an incremental patch is available at: http://lynx.isc.org/current/2.8.6dev.15.patch.gz VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-2929 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/27/2005 Initial vendor notification 10/28/2005 Initial vendor response 11/11/2005 Public disclosure IX. CREDIT vade79 (http://fakehalo.us) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/