// This message hasn't been sent to lynx-dev list, as it requires // subscription for sending bugreports. Sorry for that. Since 2.7 releases (?), lynx has mechanisms to avoid spoofed 'special URLs'. It's designed to protect lusers from malicious, internal pseudo-protocols like LYNXDIRED://, LYNXDOWNLOAD://, LYNXPRINT:// etc, inserted by those little, evil, hacking boys and girls, into external html documents. These protocols should be allowed only within internal lynx pages, like 'Download Options', 'File Management Options' and so on - these pages are rendered in /tmp (unless $LYNX_TEMP_SPACE is set) and displayed just like normal html (this solution not for the first time brings several security problems, but probably is quite convenient). Unfortunately, mechanism offered to classify html as 'external' (where special URLs are not allowed) or 'internal' (where special URLs *are* allowed) is rather... funny ;) Take a look at this code in LYMainLoop.c: [...] (!strncmp(links[curdoc.link].lname, "LYNXDOWNLOAD:", 13) && strcmp((curdoc.title ? curdoc.title : ""), DOWNLOAD_OPTIONS_TITLE)) || (!strncmp(links[curdoc.link].lname, "LYNXHIST:", 9) && strcmp((curdoc.title ? curdoc.title : ""), HISTORY_PAGE_TITLE) && [...] Hmm?! Classification is done by... veryfying title of web page! Aghrr... Somewhat better checks are done for LYNXDIRED://, good luck (location of displayed file is verified as well - secure as long as $LYNX_SAVE_SPACE isn't set). Fortunately, most of LYNX*:// requests require user interaction/confirmation, but it's pretty dangerous, anyway, as we can access internal mechanisms, not designed to be called from nowhere except internal pages (hmm, what about overflows and lacks of security checks? at least NULL-pointer SEGVs are possible). Another issue is LYNXOPTIONS:// protocol. In sources, we can read about 'paranoid security' when veryfying form submitted to LYNXOPTIONS:// location. This form contains complete lynx runtime setup, usually configured within 'Lynx Options' page - you can invoke it with "O" key. 'Paranoid security' is done by inserting hidden value called "secure" into this form. Value is calculated in very-special-and-secure-way - by calling time(NULL) (*SIGH!*). Attack is quite easy with local access (another lusers and root are possible victims). All you have to do is create evil webpage (in our example, A.html). In it, ask websurfer to check something in his config (eg. by putting text like 'Please make sure you have TagSoup html parser set in your config (press "O") before continuing'). Victim pressed 'O', and temporary file of size approx 8-9 kB (rendered html config interface) has been created in /tmp. It's name should be in format: /tmp/Lxxxxx-yTMP.html, where xxxxx is pid of browser and y is unique, small integer (starting from 1) - for example, /tmp/L1829-1TMP.html. All you have to do is to utime(...) on this file to determine 'secure' value. If you can't see what I'm talking about, stop now and read manpages for time(...) and utime(...). Then, you have to create next webpage, B.html (referenced with 'CLICK HERE WHEN DONE' from A.html ;), putting form with hidden fields containing your favourite configuration for victim's browser, and, of course, 'secure' field. For configuration form fields, take a look on /tmp file created by your browser. Another 'CLICK HERE' and form will be submitted to LYNXOPTIONS://. silently modyfying client's configuration. Just a suggestion: change 'editor' to your favourite shell-combo ('rm -rf /' for kiddies, 'cat /tmp/mykey >>~/.ssh/authorized_keys #' for script adults), set 'Save options to disk', then put mailto: in subsequent webpages - editor will be spawned automatically when new mail is edited within lynx. As you can see, direct implications of these lacks of security checks aren't deadly, but just a little bit of inadvertence combined with trivial psychological tricks might turn it into something quite harmful. _______________________________________________________________________ Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:02 PDT