Several vulnerabilities have been discovered in lynx, the popular text-mode WWW browser. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities :

  - CVE-2004-1617     Michal Zalewski discovered that lynx is not able to grok     invalid HTML including a TEXTAREA tag with a large COLS     value and a large tag name in an element that is not     terminated, and loops forever trying to render the     broken HTML.

  - CVE-2005-3120     Ulf Harnhammar discovered a buffer overflow that can be     remotely exploited. During the handling of Asian     characters when connecting to an NNTP server lynx can be     tricked to write past the boundary of a buffer which can     lead to the execution of arbitrary code.

Ulf Harnhammar discovered a buffer overflow in lynx, a text-mode browser for the WWW that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code.

The remote Redhat Enterprise Linux 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2005:803 advisory.

  - CAN-2005-3120 lynx buffer overflow (CVE-2005-3120)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Ulf Harnhammar discovered a remote buffer overflow in lynx versions 2.8.2 through 2.8.5.

When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow, with full control over EIP, EBX, EBP, ESI and EDI.

Two attack vectors to make a victim visit a URL to a dangerous news server are: (a) *redirecting scripts*, where the victim visits some web page and it redirects automatically to a malicious URL, and (b)
*links in web pages*, where the victim visits some web page and selects a link on the page to a malicious URL. Attack vector (b) is helped by the fact that Lynx does not automatically display where links lead to, unlike many graphical web browsers.

The updated packages have been patched to address this issue.

Update :

The previous patchset had a bug in the patches themselves, which was uncovered by Klaus Singvogel of Novell/SUSE in auditing crashes on some architectures.

The remote host is affected by the vulnerability described in GLSA-200510-15 (Lynx: Buffer overflow in NNTP processing)

    When accessing a NNTP URL, Lynx connects to a NNTP server and     retrieves information about the available articles in the target     newsgroup. Ulf Harnhammar discovered a buffer overflow in a function     that handles the escaping of special characters.
  Impact :

    An attacker could setup a malicious NNTP server and entice a user     to access it using Lynx (either by creating NNTP links on a web page or     by forcing a redirect for Lynx users). The data returned by the NNTP     server would trigger the buffer overflow and execute arbitrary code     with the rights of the user running Lynx.
  Workaround :

    There is no known workaround at this time.

An updated lynx package that corrects a security flaw is now available.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Lynx is a text-based Web browser.

Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue.

Users should update to this erratum package, which contains a backported patch to correct this issue.

Ulf Harnhammar reports :

When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow.

New Lynx packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. An overflow could result in the execution of arbitrary code when using Lynx to connect to a malicious NNTP server.

Ulf Harnhammar discovered a remote vulnerability in Lynx when connecting to a news server (NNTP). The function that added missing escape chararacters to article headers did not check the size of the target buffer. Specially crafted news entries could trigger a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user running lynx. In order to exploit this, the user is not even required to actively visit a news site with Lynx since a malicious HTML page could automatically redirect to an nntp:// URL with malicious news items.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is using Lynx as a web browser. This version of Lynx is vulnerable to a buffer overflow when processing malformed NNTP headers.  An attacker exploiting this flaw would need to be able to convince the local Lynx user to browse a malicious NNTP server.  Successful exploitation will result in the attacker running arbitrary code on the local system.  

ID	Name	Product	Family	Published	Updated	Severity
22627	Debian DSA-1085-1 : lynx-cur - several vulnerabilities	Nessus	Debian Local Security Checks	10/14/2006	1/4/2021	high
22742	Debian DSA-876-1 : lynx-ssl - buffer overflow	Nessus	Debian Local Security Checks	10/14/2006	1/4/2021	high
20051	RHEL 4 : lynx (RHSA-2005:803)	Nessus	Red Hat Local Security Checks	10/19/2005	4/21/2024	critical
20057	Mandrake Linux Security Advisory : lynx (MDKSA-2005:186-1)	Nessus	Mandriva Local Security Checks	10/19/2005	1/6/2021	high
20035	GLSA-200510-15 : Lynx: Buffer overflow in NNTP processing	Nessus	Gentoo Local Security Checks	10/19/2005	1/6/2021	high
22740	Debian DSA-874-1 : lynx - buffer overflow	Nessus	Debian Local Security Checks	10/14/2006	1/4/2021	high
21863	CentOS 3 / 4 : lynx (CESA-2005:803)	Nessus	CentOS Local Security Checks	7/3/2006	1/4/2021	high
21506	FreeBSD : lynx -- remote buffer overflow (c01170bf-4990-11da-a1b8-000854d03344)	Nessus	FreeBSD Local Security Checks	5/13/2006	1/6/2021	high
54864	Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : lynx (SSA:2005-310-03)	Nessus	Slackware Local Security Checks	5/28/2011	1/14/2021	high
20622	Ubuntu 4.10 / 5.04 / 5.10 : lynx vulnerability (USN-206-1)	Nessus	Ubuntu Local Security Checks	1/15/2006	1/19/2021	high
3261	Lynx < 2.8.6 dev14 NNTP Headers Buffer Overflow	Nessus Network Monitor	Web Clients	10/17/2005	3/6/2019	medium
800109	Lynx < 2.8.6 dev14 NNTP Headers Buffer Overflow	Log Correlation Engine	Web Clients			medium
800974	Lynx < 2.8.6 dev14 NNTP Headers Buffer Overflow	Log Correlation Engine	Web Clients			medium

Detections

Analytics

Plugins Search

high

high

critical

high

high

high

high

high

high

high

medium

medium

medium