Links web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed allows remote attackers to execute arbitrary code via shell metacharacters in an smb:// URI, as demonstrated by using PUT and GET statements.

From Red Hat Security Advisory 2006:0742 :

An updated elinks package that corrects a security vulnerability is now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Elinks is a text mode Web browser used from the command line that supports rendering modern web pages.

An arbitrary file access flaw was found in the Elinks SMB protocol handler. A malicious web page could have caused Elinks to read or write files with the permissions of the user running Elinks.
(CVE-2006-5925)

All users of Elinks are advised to upgrade to this updated package, which resolves this issue by removing support for the SMB protocol from Elinks.

Note: this issue did not affect the Elinks package shipped with Red Hat Enterprise Linux 3, or the Links package shipped with Red Hat Enterprise Linux 2.1.

Teemu Salmela discovered that Elinks did not properly validate input when processing smb:// URLs. If a user were tricked into viewing a malicious website and had smbclient installed, a remote attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2006-5925)

Jakub Wilk discovered a logic error in Elinks, leading to a buffer overflow. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-7224).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An updated elinks package that corrects a security vulnerability is now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Elinks is a text mode Web browser used from the command line that supports rendering modern web pages.

An arbitrary file access flaw was found in the Elinks SMB protocol handler. A malicious web page could have caused Elinks to read or write files with the permissions of the user running Elinks.
(CVE-2006-5925)

All users of Elinks are advised to upgrade to this updated package, which resolves this issue by removing support for the SMB protocol from Elinks.

Note: this issue did not affect the Elinks package shipped with Red Hat Enterprise Linux 3, or the Links package shipped with Red Hat Enterprise Linux 2.1.

Malicious websites could abuse smb:// URLs to read or write arbitrary files of the user (CVE-2006-5925). Therefore this update disables SMB support in links.

The links web browser with smbclient installed allows remote attackers to execute arbitrary code via shell metacharacters in an smb:// URI, as demonstrated by using PUT and GET statements.

Corporate 3.0 is not affected by this issue, as that version of links does not have smb:// URI support.

Updated packages have disabled access to smb:// URIs.

The remote host is affected by the vulnerability described in GLSA-200701-27 (ELinks: Arbitrary Samba command execution)

    Teemu Salmela discovered an error in the validation code of 'smb://'     URLs used by ELinks, the same issue as reported in GLSA 200612-16     concerning Links.
  Impact :

    A remote attacker could entice a user to browse to a specially crafted     'smb://' URL and execute arbitrary Samba commands, which would allow     the overwriting of arbitrary local files or the upload or download of     arbitrary files. This vulnerability can be exploited only if     'smbclient' is installed on the victim's computer, which is provided by     the 'samba' Gentoo package.
  Workaround :

    There is no known workaround at this time.

Teemu Salmela discovered that the links2 character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands.

The remote host is affected by the vulnerability described in GLSA-200612-16 (Links: Arbitrary Samba command execution)

    Teemu Salmela discovered that Links does not properly validate 'smb://'     URLs when it runs smbclient commands.
  Impact :

    A remote attacker could entice a user to browse to a specially crafted     'smb://' URL and execute arbitrary Samba commands, which would allow     the overwriting of arbitrary local files or the upload or the download     of arbitrary files. This vulnerability can be exploited only if     'smbclient' is installed on the victim's computer, which is provided by     the 'samba' Gentoo package.
  Workaround :

    There is no known workaround at this time.

Teemu Salmela discovered that the links character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands.

Teemu Salmela discovered that the elinks character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands.

ID	Name	Product	Family	Severity
67426	Oracle Linux 4 : elinks (ELSA-2006-0742)	Nessus	Oracle Linux Local Security Checks	high
42208	Ubuntu 6.06 LTS : elinks vulnerabilities (USN-851-1)	Nessus	Ubuntu Local Security Checks	high
37097	CentOS 4 : elinks (CESA-2006:0742)	Nessus	CentOS Local Security Checks	high
27342	openSUSE 10 Security Update : links (links-2292)	Nessus	SuSE Local Security Checks	high
24601	Mandrake Linux Security Advisory : links (MDKSA-2006:216)	Nessus	Mandriva Local Security Checks	high
24312	GLSA-200701-27 : ELinks: Arbitrary Samba command execution	Nessus	Gentoo Local Security Checks	high
23945	Debian DSA-1240-1 : links2 - insufficient escaping	Nessus	Debian Local Security Checks	high
23873	GLSA-200612-16 : Links: Arbitrary Samba command execution	Nessus	Gentoo Local Security Checks	high
23844	Debian DSA-1226-1 : links - insufficient escaping	Nessus	Debian Local Security Checks	high
23770	Debian DSA-1228-1 : elinks - insufficient escaping	Nessus	Debian Local Security Checks	high
23684	RHEL 4 : elinks (RHSA-2006:0742)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2006-5925

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high