Security related issues in Lynx versions through 2-7-1

CERT Advisories

• VB-97.06.lynx (Vulnerability in Lynx Downloading)
• VB-97.05.lynx (Vulnerability in Lynx Temporary Files)

Captive Lynx Accounts

Description

A vulnerability in Lynx has recently been brought to the notice of the Lynx-Dev list. This vulnerability permits a user of Lynx to execute arbitrary commands on the machine running Lynx.

Versions affected

All Un*x versions of Lynx through 2.7.1 are vulnerable.

Impact

This allows users of Lynx in a captive situation (where the Lynx user does not normally have access to a shell prompt, or to a menu system that allows the user to run arbitrary commands) to get access to a shell prompt. This includes public Lynxes as well as situations in which users are restricted to a menu interface of some sort with Lynx.

This vulnerability can be exploited by anyone who can provide Lynx a carefully crafted URL. This can be done from the G'oto prompt, or by activating the URL on a world wide web page. The user can launch a shell on the machine running Lynx.

This could also conceivably allow malicious webmasters to add these carefully crafted URLs to their pages to cause unsuspecting Lynx users (in captive accounts or otherwise) to execute arbitrary commands.

Workaround

Administrators of captive Lynxes are advised to disable g'oto on their Lynxes till a final patch set to fix this problem is available. This does not disallow the user from selecting a pseudo-URL of the proper form that someone has added inside an anchor on another page.

Another workaround for public Lynxes is to run lynx from a so-called chroot jail.

Solution

A preliminary patch can be found at: http://www.slcc.edu/lynx/fote/patches/ -- read the FOTEMODS entries for 1997-06-24 and 1997-06-26 for details. Lynx 2.8 fixes this problem.

References

• LYNX-DEV fotemods.zip update (Re: CERT VU#5135), Fote's summary of the preliminary patch.
• First report of this problem

Use of /tmp for temporary downloads

Description

On Un*x operating systems, Lynx uses /tmp to store files during downloads. The filename Lynx chooses can be predicted, and another user on the system may be able to exploit a race condition to replace the temporary file with a symbolic link (or any other file).

Versions affected

All Un*x versions of Lynx through 2.7.1 are affected.

Impact

A malicious user with access to the same machine as other lynx users may be able to cause another user's Lynx process to overwrite another file on the system (in the user's home directory, for example). The file overwritten could potentially be one containing important information or a file such as .rhosts (if the file being downloaded was rigged correctly, the attacker could log in to the account without a password) or .profile (causing possibly dangerous commands to be executed by the user when he/she next logs in).

Workaround

Sites which are concerned with this problem are advised to change the setting of TEMP_SPACE from the default ("/tmp") to "~" to cause temporary files to be put in the user's home directory. This may cause problems for users with unwriteable home directories (such as captive or public accounts) or users with low quotas. This may be done in two ways:

1. Lynx can be rebuilt with the "#define TEMP_SPACE" in lynx2-7-1/userdefs.h changed from "/tmp" to "~".
2. The LYNX_TEMP_SPACE environment variable may be set before lynx is run. This can either be put in individual users' shell startup files (.profile, .cshrc, or equivalent) or into the system profile (/etc/profile or equivalent).

Individual users may also set the LYNX_TEMP_SPACE environment variable to point to another place known to be unwriteable by other users (for instance a subdirectory of the users' home directory, or a mode 0700 directory of a "sticky" /tmp).

Solution

A preliminary patch can be found at: http://www.slcc.edu/lynx/klaus/temp/. This patch is preliminary (i.e. alpha quality) and may break certain Lynx functions; it may also not completely fix the problem. Lynx 2.8 has a complete fix for this problem.

References

• A vulnerability in Lynx (all versions) First report of this problem. (from the <best-of-security@suburbia.net> mailing list)
• LYNX-DEV Re: ...vulnerability in Lynx - code Klaus Weide's post announcing his patch to fix this problem.

Older versions of Lynx

Other security problems applying to captive environments have been found with lynx at various times in the past. Various other bugs are fixed in Lynx 2.7.1 and the developmental code sets. All Lynx users are advised to upgrade to Lynx 2.8 if at all possible.

Problems not listed here.

If you believe you have found a security problem with lynx that is not listed here, please forward it to lynx-dev@gnu.org.

This document was prepared by Jonathan Sergent <sergent@csociety.purdue.edu>