From owner-freebsd-questions Sun Apr 2 10:33: 2 2000 Delivered-To: freebsd-questions@freebsd.org Received: from news-ma.rhein-neckar.de (news-ma.rhein-neckar.de [193.197.90.3]) by hub.freebsd.org (Postfix) with ESMTP id 9A52C37BE99 for ; Sun, 2 Apr 2000 10:32:55 -0700 (PDT) (envelope-from daemon@bigeye.rhein-neckar.de) Received: from bigeye.rhein-neckar.de (uucp@localhost) by news-ma.rhein-neckar.de (8.8.8/8.8.8) with bsmtp id TAA04523 for freebsd-questions@freebsd.org; Sun, 2 Apr 2000 19:32:50 +0200 (CEST) (envelope-from daemon@bigeye.rhein-neckar.de) Received: (from daemon@localhost) by bigeye.rhein-neckar.de (8.9.3/8.9.3) id SAA40589 for freebsd-questions@freebsd.org; Sun, 2 Apr 2000 18:45:36 +0200 (CEST) (envelope-from daemon) From: naddy@mips.rhein-neckar.de (Christian Weisgerber) Subject: Re: Lynx forbidden Date: 2 Apr 2000 18:45:36 +0200 Message-ID: <8c7tfg$17jv$1@bigeye.rhein-neckar.de> References: <20000402024251.A3917@kagan.quedawg.com> To: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Doug Poland wrote: > How does a cracker exploit (or create?) buffer overflows > that makes lynx vulnerable? Exploitation would take the form of somebody having a web site with overlong URLs (and possibly some other structures lynx is vulnerable to, I don't know the details of the security audit) that will overflow lynx' internal buffers, clobber the stack, and cause this remote data to be executed as code. Effectively, you would attempt to load a page and unwittingly execute some code provided from the malicious server locally on your system under your user ID and permissions. The possibilities for abuse are immense. Examples include deleting all your files, modifying your .rhosts or ssh configuration in such a way as to open up your account to unauthorized remote login, or copying (possibly sensitive) personal data. > If I have lynx on my system, when am I at risk? When you access a remote untrusted web server. Please note that the security status of other browsers such as w3m is more along the lines of "unknown" rather than "safe". And I don't even want to think about netscape. > Doesn't sysinstall use lynx to read on-line documentation? > If it's so risky, why would the installation program use it? The recognition that lynx is unsafe is somewhat new, and the problem will probably be fixed eventually. Also, there is no security risk involved in using it to read the locally installed documentation. -- Christian "naddy" Weisgerber naddy@mips.rhein-neckar.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message