ID CVE-2005-3120
Summary Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters.
References
Vulnerable Configurations
  • cpe:2.3:a:university_of_kansas:lynx:2.8.3
    cpe:2.3:a:university_of_kansas:lynx:2.8.3
  • cpe:2.3:a:university_of_kansas:lynx:2.8.4
    cpe:2.3:a:university_of_kansas:lynx:2.8.4
  • cpe:2.3:a:university_of_kansas:lynx:2.8.6
    cpe:2.3:a:university_of_kansas:lynx:2.8.6
  • cpe:2.3:a:university_of_kansas:lynx:2.8.6_dev13
    cpe:2.3:a:university_of_kansas:lynx:2.8.6_dev13
CVSS
Base: 7.5 (as of 18-10-2005 - 08:41)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Lynx <= 2.8.6dev.13 Remote Buffer Overflow Exploit (PoC). CVE-2005-3120. Dos exploits for multiple platform
id EDB-ID:1256
last seen 2016-01-31
modified 2005-10-17
published 2005-10-17
reporter Ulf Harnhammar
source https://www.exploit-db.com/download/1256/
title Lynx <= 2.8.6dev.13 - Remote Buffer Overflow Exploit PoC
nessus via4
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2005-310-03.NASL
    description New Lynx packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. An overflow could result in the execution of arbitrary code when using Lynx to connect to a malicious NNTP server.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 54864
    published 2011-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54864
    title Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : lynx (SSA:2005-310-03)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-186.NASL
    description Ulf Harnhammar discovered a remote buffer overflow in lynx versions 2.8.2 through 2.8.5. When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow, with full control over EIP, EBX, EBP, ESI and EDI. Two attack vectors to make a victim visit a URL to a dangerous news server are: (a) *redirecting scripts*, where the victim visits some web page and it redirects automatically to a malicious URL, and (b) *links in web pages*, where the victim visits some web page and selects a link on the page to a malicious URL. Attack vector (b) is helped by the fact that Lynx does not automatically display where links lead to, unlike many graphical web browsers. The updated packages have been patched to address this issue. Update : The previous patchset had a bug in the patches themselves, which was uncovered by Klaus Singvogel of Novell/SUSE in auditing crashes on some architectures.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20057
    published 2005-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20057
    title Mandrake Linux Security Advisory : lynx (MDKSA-2005:186-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-803.NASL
    description An updated lynx package that corrects a security flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Lynx is a text-based Web browser. Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21863
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21863
    title CentOS 3 / 4 : lynx (CESA-2005:803)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-876.NASL
    description Ulf Harnhammar discovered a buffer overflow in lynx, a text-mode browser for the WWW that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22742
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22742
    title Debian DSA-876-1 : lynx-ssl - buffer overflow
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1085.NASL
    description Several vulnerabilities have been discovered in lynx, the popular text-mode WWW browser. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities : - CVE-2004-1617 Michal Zalewski discovered that lynx is not able to grok invalid HTML including a TEXTAREA tag with a large COLS value and a large tag name in an element that is not terminated, and loops forever trying to render the broken HTML. - CVE-2005-3120 Ulf Harnhammar discovered a buffer overflow that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22627
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22627
    title Debian DSA-1085-1 : lynx-cur - several vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C01170BF499011DAA1B8000854D03344.NASL
    description Ulf Harnhammar reports : When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21506
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21506
    title FreeBSD : lynx -- remote buffer overflow (c01170bf-4990-11da-a1b8-000854d03344)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-803.NASL
    description An updated lynx package that corrects a security flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Lynx is a text-based Web browser. Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 20051
    published 2005-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20051
    title RHEL 2.1 / 3 / 4 : lynx (RHSA-2005:803)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-874.NASL
    description Ulf Harnhammar discovered a buffer overflow in lynx, a text-mode browser for the WWW that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22740
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22740
    title Debian DSA-874-1 : lynx - buffer overflow
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200510-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-200510-15 (Lynx: Buffer overflow in NNTP processing) When accessing a NNTP URL, Lynx connects to a NNTP server and retrieves information about the available articles in the target newsgroup. Ulf Harnhammar discovered a buffer overflow in a function that handles the escaping of special characters. Impact : An attacker could setup a malicious NNTP server and entice a user to access it using Lynx (either by creating NNTP links on a web page or by forcing a redirect for Lynx users). The data returned by the NNTP server would trigger the buffer overflow and execute arbitrary code with the rights of the user running Lynx. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 20035
    published 2005-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20035
    title GLSA-200510-15 : Lynx: Buffer overflow in NNTP processing
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-206-1.NASL
    description Ulf Harnhammar discovered a remote vulnerability in Lynx when connecting to a news server (NNTP). The function that added missing escape chararacters to article headers did not check the size of the target buffer. Specially crafted news entries could trigger a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user running lynx. In order to exploit this, the user is not even required to actively visit a news site with Lynx since a malicious HTML page could automatically redirect to an nntp:// URL with malicious news items. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 20622
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20622
    title Ubuntu 4.10 / 5.04 / 5.10 : lynx vulnerability (USN-206-1)
oval via4
accepted 2013-04-29T04:18:36.892-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters.
family unix
id oval:org.mitre.oval:def:9257
status accepted
submitted 2010-07-09T03:56:16-04:00
title Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters.
version 23
redhat via4
advisories
rhsa
id RHSA-2005:803
refmap via4
bid 15117
bugtraq 20060602 Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities
confirm http://support.avaya.com/elmodocs2/security/ASA-2006-010.htm
debian
  • DSA-1085
  • DSA-874
  • DSA-876
fedora FLSA:152832
fulldisc 20051017 Lynx Remote Buffer Overflow
gentoo GLSA-200510-15
mandriva MDKSA-2005:186
misc https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170253
openpkg OpenPKG-SA-2005.026
sco
  • SCOSA-2005.47
  • SCOSA-2006.7
sectrack 1015065
secunia
  • 17150
  • 17216
  • 17230
  • 17231
  • 17238
  • 17248
  • 17340
  • 17360
  • 17444
  • 17445
  • 17480
  • 18376
  • 18584
  • 20383
slackware SSA:2005-310-03
suse SUSE-SR:2005:025
trustix TSLSA-2005-0059
ubuntu USN-206-1
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 21-08-2010 - 00:33
Published 17-10-2005 - 16:06
Last modified 19-10-2018 - 11:34
Back to Top