-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The vendor has been notified, but since this is a low risk I am releasing early. Vapid Labs Larry W. Cashdollar Bug Report Summary: lynx has a format string vulnerability in LYUtils.c line 7995 due to a bad call to syslog(), where the format argument is omitted. Risk: Low Version: Lynx compiled from FreeBSD ports collection. Also tested in 2.8.5dev.5.gz [larryc@harod ~ $] lynx --version Lynx Version 2.8.4rel.1 (17 Jul 2001) Built on freebsd4.4 Dec 25 2001 23:04:31 Details: line 7995 in LYUtils.c reads: syslog (LOG_INFO|LOG_LOCAL5, buf); The reason this is low priority is the bug can only big triggered if sysloging URL's is enabled. (./configure --enable-syslog) Exploit: The following url triggers the bug: [larryc@harod ~ $] lynx hsVd632kat_private/bleh:80">http://lwc%d%d:hsVd632kat_private/bleh:80 Results in the following logged to syslog. Dec 25 23:11:00 vapid lynx[5160]: http://lwc-1077939384134744128:******@vapid.dhs.org/bleh:80 Fix: line 7995: - -syslog (LOG_INFO|LOG_LOCAL5, buf); +syslog (LOG_INFO|LOG_LOCAL5,"%s", buf); Larry W. Cashdollar http://vapid.dhs.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8K1iX1hSQ6Gxh/KoRAiiXAJ9y89t6QYewx2tCiHT8JwsplvLMsgCfQBDD mrfnwVrdUUNRaKLdGIOtWfI= =sNDc -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Dec 27 2001 - 11:06:19 PST