CVE-2005-2929
CVSS7.5
发布时间 :2005-11-18 01:03:00
修订时间 :2011-10-06 00:00:00
NMCOP    

[原文]Lynx 2.8.5, and other versions before 2.8.6dev.15, allows remote attackers to execute arbitrary commands via (1) lynxcgi:, (2) lynxexec, and (3) lynxprog links, which are not properly restricted in the default configuration in some environments.


[CNNVD]Lynx URI处理器任意命令执行漏洞(CNNVD-200511-246)

        Lynx是一个基于文本的WWW浏览器。它不能够显示图像或Java句柄,所以执行速度非常快。
        很多厂商的Lynx实现中存在远程命令注入漏洞,恶意站点可能利用此漏洞在客户机上执行任意命令。Lynx允许通过"lynxcgi:" URI处理器执行本地cgi-bin程序。通常该处理器应仅限于特定的目录或程序。但是,由于多个平台的配置错误,默认设置允许任意站点指定将要运行的命令,这样就允许远程攻击者以运行Lynx用户的权限执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:university_of_kansas:lynx:2.8.5
cpe:/a:university_of_kansas:lynx:2.8.6
cpe:/a:university_of_kansas:lynx:2.8.6_dev13

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9712Lynx 2.8.5, and other versions before 2.8.6dev.15, allows remote attackers to execute arbitrary commands via (1) lynxcgi:, (2) lynxexec, and...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2929
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-246
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=338&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20051110 Multiple Vendor Lynx Command Injection Vulnerability
http://xforce.iss.net/xforce/xfdb/23119
(UNKNOWN)  XF  lynx-lynxcgi-command-execute(23119)
http://www.vupen.com/english/advisories/2005/2394
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2394
http://www.securityfocus.com/bid/15395
(UNKNOWN)  BID  15395
http://www.securityfocus.com/archive/1/archive/1/419763/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:152832
http://www.redhat.com/support/errata/RHSA-2005-839.html
(UNKNOWN)  REDHAT  RHSA-2005:839
http://www.openpkg.org/security/OpenPKG-SA-2005.026-lynx.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2005.026
http://www.mandriva.com/security/advisories?name=MDKSA-2005:211
(UNKNOWN)  MANDRIVA  MDKSA-2005:211
http://www.gentoo.org/security/en/glsa/glsa-200511-09.xml
(UNKNOWN)  GENTOO  GLSA-200511-09
http://support.avaya.com/elmodocs2/security/ASA-2006-035.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-035.htm
http://securitytracker.com/id?1015195
(UNKNOWN)  SECTRACK  1015195
http://securityreason.com/securityalert/173
(UNKNOWN)  SREASON  173
http://secunia.com/advisories/18659
(VENDOR_ADVISORY)  SECUNIA  18659
http://secunia.com/advisories/18376
(VENDOR_ADVISORY)  SECUNIA  18376
http://secunia.com/advisories/18051
(VENDOR_ADVISORY)  SECUNIA  18051
http://secunia.com/advisories/17757
(VENDOR_ADVISORY)  SECUNIA  17757
http://secunia.com/advisories/17666
(VENDOR_ADVISORY)  SECUNIA  17666
http://secunia.com/advisories/17576
(VENDOR_ADVISORY)  SECUNIA  17576
http://secunia.com/advisories/17556
(VENDOR_ADVISORY)  SECUNIA  17556
http://secunia.com/advisories/17546
(VENDOR_ADVISORY)  SECUNIA  17546
http://secunia.com/advisories/17512
(VENDOR_ADVISORY)  SECUNIA  17512
http://secunia.com/advisories/17372
(VENDOR_ADVISORY)  SECUNIA  17372
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.55/SCOSA-2005.55.txt
(UNKNOWN)  SCO  SCOSA-2005.55
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.7/SCOSA-2006.7.txt
(UNKNOWN)  SCO  SCOSA-2006.7

- 漏洞信息

Lynx URI处理器任意命令执行漏洞
高危 权限许可和访问控制
2005-11-18 00:00:00 2006-06-12 00:00:00
远程  
        Lynx是一个基于文本的WWW浏览器。它不能够显示图像或Java句柄,所以执行速度非常快。
        很多厂商的Lynx实现中存在远程命令注入漏洞,恶意站点可能利用此漏洞在客户机上执行任意命令。Lynx允许通过"lynxcgi:" URI处理器执行本地cgi-bin程序。通常该处理器应仅限于特定的目录或程序。但是,由于多个平台的配置错误,默认设置允许任意站点指定将要运行的命令,这样就允许远程攻击者以运行Lynx用户的权限执行任意命令。
        

- 公告与补丁

        RedHat已经为此发布了一个安全公告(RHSA-2005:839-01)以及相应补丁:
        http://www.auscert.org.au/render.html?it=5735
        http://security.gentoo.org/glsa/glsa-200511-09.xml

- 漏洞信息 (F81282)

Gentoo Linux Security Advisory 200909-15 (PacketStormID:F81282)
2009-09-15 00:00:00
Gentoo  security.gentoo.org
advisory,remote,arbitrary
linux,gentoo
CVE-2005-2929,CVE-2008-4690
[点击下载]

Gentoo Linux Security Advisory GLSA 200909-15 - An incomplete fix for an issue related to the Lynx URL handler might allow for the remote execution of arbitrary commands. Clint Ruoho reported that the fix for CVE-2005-2929 (GLSA 200511-09) only disabled the lynxcgi:// handler when not using the advanced mode. Versions less than 2.8.6-r4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200909-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Lynx: Arbitrary command execution
      Date: September 12, 2009
      Bugs: #243058
        ID: 200909-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An incomplete fix for an issue related to the Lynx URL handler might
allow for the remote execution of arbitrary commands.

Background
==========

Lynx is a fully-featured WWW client for users running
cursor-addressable, character-cell display devices such as vt100
terminals and terminal emulators.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /  Vulnerable  /                      Unaffected
    -------------------------------------------------------------------
  1  www-client/lynx     < 2.8.6-r4                        >= 2.8.6-r4

Description
===========

Clint Ruoho reported that the fix for CVE-2005-2929 (GLSA 200511-09)
only disabled the lynxcgi:// handler when not using the advanced mode.

Impact
======

A remote attacker can entice a user to access a malicious HTTP server,
causing Lynx to execute arbitrary commands. NOTE: The advanced mode is
not enabled by default. Successful exploitation requires the
"lynxcgi://" protocol to be registered with lynx on the victim's
system.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Lynx users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose =www-client/lynx-2.8.6-r4

References
==========

  [ 1 ] CVE-2005-2929
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929
  [ 2 ] CVE-2008-4690
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4690
  [ 3 ] GLSA 200511-09
        http://www.gentoo.org/security/en/glsa/glsa-200511-09.xml

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200909-15.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
    

- 漏洞信息 (F41496)

iDEFENSE Security Advisory 2005-11-11.t (PacketStormID:F41496)
2005-11-12 00:00:00
vade79,iDefense Labs  idefense.com
advisory,remote,arbitrary,local,cgi
CVE-2005-2929
[点击下载]

iDEFENSE Security Advisory 11.11.05 - Remote exploitation of a command injection vulnerability in various vendors' implementations of Lynx could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local cgi-bin programs via the lynxcgi: URI handler. The handler is generally intended to be restricted to a specific directory or program(s). However, due to a configuration error on multiple platforms, the default settings allow for arbitrary websites to specify commands to run as the user running Lynx. iDEFENSE has confirmed the existence of this vulnerability in the latest stable release of Lynx, version 2.8.5. It is suspected that earlier versions are also affected.

Multiple Vendor Lynx Command Injection Vulnerability

iDefense Security Advisory 11.11.05
www.idefense.com/application/poi/display?id=338&type=vulnerabilities
November 11, 2005

I. BACKGROUND

Lynx is a fully-featured WWW client for users running cursor-
addressable, character-cell display devices such as vt100 terminals and
terminal emulators. Lynx support a number of protocols including HTTP,
HTTPS, gopher, FTP, WAIS, NNTP, finger or cso/ph/qi servers, and
services accessible via logons to telnet, tn3270 or rlogin accounts.

II. DESCRIPTION

Remote exploitation of a command injection vulnerability in various
vendors' implementations of Lynx could allow attackers to execute
arbitrary commands with the privileges of the underlying user.

The problem specifically exists within the feature to execute local
cgi-bin programs via the "lynxcgi:" URI handler. The handler is
generally intended to be restricted to a specific directory or
program(s). However, due to a configuration error on multiple platforms,
the default settings allow for arbitrary websites to specify commands to
run as the user running Lynx.

III. ANALYSIS

Successful exploitation of the described vulnerability allows remote
attackers to execute arbitrary commands with the privileges of the
underlying user. Exploitation requires that an attacker convince a
target user to follow a malicious link from within a vulnerable version
of Lynx. The "lynxexec" and "lynxprog" URI handlers can also be used to
trigger the issue. However, they are rarely compiled into the Lynx
binary.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in the latest
stable release of Lynx, version 2.8.5. It is suspected that earlier
versions are also affected. The following vendors include susceptible
Lynx packages within their respective distributions:

    * Red Hat Inc.
    * Gentoo Foundation Inc.
    * Mandriva SA

Other vendors are suspected as also being vulnerable. The following
vendors include Lynx packages that are not susceptible to exploitation
as the "lynxcgi" feature is not compiled into Lynx by default:

    * The FreeBSD Project
    * OpenBSD

V. WORKAROUND

Disable "lynxcgi" links by specifying the following directive in
lynx.cfg:

    TRUSTED_LYNXCGI:none

VI. VENDOR RESPONSE

Development version 2.8.6dev.15 has been released to address this issue
and is available from the following URLs:

  http://lynx.isc.org/current/lynx2.8.6dev.15.tar.Z
  http://lynx.isc.org/current/lynx2.8.6dev.15.tar.bz2
  http://lynx.isc.org/current/lynx2.8.6dev.15.tar.gz
  http://lynx.isc.org/current/lynx2.8.6dev.15.zip

Alternately, an incremental patch is available at:

  http://lynx.isc.org/current/2.8.6dev.15.patch.gz

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-2929 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/27/2005  Initial vendor notification
10/28/2005  Initial vendor response
11/11/2005  Public disclosure

IX. CREDIT

vade79 (http://fakehalo.us) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright     

- 漏洞信息

20814
Lynx lynxcgi: URI Handler Arbitrary Command Execution
Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2005-11-11 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.8.6dev.15 or higher, as it has been reported to fix this vulnerability. It is also possible to temporarily work around the flaw by implementing the following workaround: Disable "lynxcgi" links by specifying the following directive in lynx.cfg: TRUSTED_LYNXCGI:none

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站