[23633] in bugtraq
Lynx format string vulnerability in URL logging.
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Thu Dec 27 14:06:33 2001
Date: Thu, 27 Dec 2001 12:23:01 -0500 (EST)
From: "Larry W. Cashdollar" <lwc@vapid.dhs.org>
To: <bugtraq@securityfocus.com>
In-Reply-To: <20011227101620.K71086-100000@vapid.dhs.org>
Message-ID: <20011227122229.A71907-100000@vapid.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The vendor has been notified, but since this is a low risk I am
releasing early.
Vapid Labs
Larry W. Cashdollar
Bug Report
Summary: lynx has a format string vulnerability in LYUtils.c line 7995 due
to a bad call to syslog(), where the format argument is omitted.
Risk: Low
Version: Lynx compiled from FreeBSD ports collection. Also tested in
2.8.5dev.5.gz
[larryc@harod ~ $] lynx --version
Lynx Version 2.8.4rel.1 (17 Jul 2001)
Built on freebsd4.4 Dec 25 2001 23:04:31
Details:
line 7995 in LYUtils.c reads:
syslog (LOG_INFO|LOG_LOCAL5, buf);
The reason this is low priority is the bug can only big triggered if
sysloging URL's is enabled.
(./configure --enable-syslog)
Exploit:
The following url triggers the bug:
[larryc@harod ~ $] lynx http://lwc%d%d:hsVd632k@vapid.dhs.org/bleh:80
Results in the following logged to syslog.
Dec 25 23:11:00 vapid lynx[5160]: http://lwc-1077939384134744128:******@vapid.dhs.org/bleh:80
Fix:
line 7995:
- -syslog (LOG_INFO|LOG_LOCAL5, buf);
+syslog (LOG_INFO|LOG_LOCAL5,"%s", buf);
Larry W. Cashdollar
http://vapid.dhs.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8K1iX1hSQ6Gxh/KoRAiiXAJ9y89t6QYewx2tCiHT8JwsplvLMsgCfQBDD
mrfnwVrdUUNRaKLdGIOtWfI=
=sNDc
-----END PGP SIGNATURE-----
