Vulnerabilities > CVE-2005-3120 - Incorrect Calculation of Buffer Size vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Buffer Overflow via Parameter Expansion In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
Exploit-Db
| description | Lynx <= 2.8.6dev.13 Remote Buffer Overflow Exploit (PoC). CVE-2005-3120. Dos exploits for multiple platform |
| id | EDB-ID:1256 |
| last seen | 2016-01-31 |
| modified | 2005-10-17 |
| published | 2005-10-17 |
| reporter | Ulf Harnhammar |
| source | https://www.exploit-db.com/download/1256/ |
| title | Lynx <= 2.8.6dev.13 - Remote Buffer Overflow Exploit PoC |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-874.NASL description Ulf Harnhammar discovered a buffer overflow in lynx, a text-mode browser for the WWW that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 22740 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22740 title Debian DSA-874-1 : lynx - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-874. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22740); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-3120"); script_xref(name:"DSA", value:"874"); script_name(english:"Debian DSA-874-1 : lynx - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Ulf Harnhammar discovered a buffer overflow in lynx, a text-mode browser for the WWW that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-874" ); script_set_attribute( attribute:"solution", value: "Upgrade the lynx package. For the old stable distribution (woody) this problem has been fixed in version 2.8.4.1b-3.3. For the stable distribution (sarge) this problem has been fixed in version 2.8.5-2sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lynx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"lynx", reference:"2.8.4.1b-3.3")) flag++; if (deb_check(release:"3.1", prefix:"lynx", reference:"2.8.5-2sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-186.NASL description Ulf Harnhammar discovered a remote buffer overflow in lynx versions 2.8.2 through 2.8.5. When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow, with full control over EIP, EBX, EBP, ESI and EDI. Two attack vectors to make a victim visit a URL to a dangerous news server are: (a) *redirecting scripts*, where the victim visits some web page and it redirects automatically to a malicious URL, and (b) *links in web pages*, where the victim visits some web page and selects a link on the page to a malicious URL. Attack vector (b) is helped by the fact that Lynx does not automatically display where links lead to, unlike many graphical web browsers. The updated packages have been patched to address this issue. Update : The previous patchset had a bug in the patches themselves, which was uncovered by Klaus Singvogel of Novell/SUSE in auditing crashes on some architectures. last seen 2020-06-01 modified 2020-06-02 plugin id 20057 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20057 title Mandrake Linux Security Advisory : lynx (MDKSA-2005:186-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:186. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(20057); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2005-2665", "CVE-2005-3120"); script_xref(name:"MDKSA", value:"2005:186-1"); script_name(english:"Mandrake Linux Security Advisory : lynx (MDKSA-2005:186-1)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Ulf Harnhammar discovered a remote buffer overflow in lynx versions 2.8.2 through 2.8.5. When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow, with full control over EIP, EBX, EBP, ESI and EDI. Two attack vectors to make a victim visit a URL to a dangerous news server are: (a) *redirecting scripts*, where the victim visits some web page and it redirects automatically to a malicious URL, and (b) *links in web pages*, where the victim visits some web page and selects a link on the page to a malicious URL. Attack vector (b) is helped by the fact that Lynx does not automatically display where links lead to, unlike many graphical web browsers. The updated packages have been patched to address this issue. Update : The previous patchset had a bug in the patches themselves, which was uncovered by Klaus Singvogel of Novell/SUSE in auditing crashes on some architectures." ); script_set_attribute(attribute:"solution", value:"Update the affected lynx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lynx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.1", reference:"lynx-2.8.5-1.2.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"lynx-2.8.5-1.2.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"lynx-2.8.5-4.2.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-803.NASL description An updated lynx package that corrects a security flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Lynx is a text-based Web browser. Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 21863 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21863 title CentOS 3 / 4 : lynx (CESA-2005:803) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:803 and # CentOS Errata and Security Advisory 2005:803 respectively. # include("compat.inc"); if (description) { script_id(21863); script_version("1.18"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2005-3120"); script_bugtraq_id(15117); script_xref(name:"RHSA", value:"2005:803"); script_name(english:"CentOS 3 / 4 : lynx (CESA-2005:803)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated lynx package that corrects a security flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Lynx is a text-based Web browser. Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue." ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012288.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?32cf0cb0" ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012289.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?91ed8dc4" ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012292.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a4e05709" ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012293.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?11a72566" ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012320.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?26ff1972" ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012321.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?132e0a60" ); script_set_attribute(attribute:"solution", value:"Update the affected lynx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:lynx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"lynx-2.8.5-11.1")) flag++; if (rpm_check(release:"CentOS-4", reference:"lynx-2.8.5-18.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lynx"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1085.NASL description Several vulnerabilities have been discovered in lynx, the popular text-mode WWW browser. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities : - CVE-2004-1617 Michal Zalewski discovered that lynx is not able to grok invalid HTML including a TEXTAREA tag with a large COLS value and a large tag name in an element that is not terminated, and loops forever trying to render the broken HTML. - CVE-2005-3120 Ulf Harnhammar discovered a buffer overflow that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 22627 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22627 title Debian DSA-1085-1 : lynx-cur - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1085. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22627); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2004-1617", "CVE-2005-3120"); script_bugtraq_id(11443); script_xref(name:"DSA", value:"1085"); script_name(english:"Debian DSA-1085-1 : lynx-cur - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in lynx, the popular text-mode WWW browser. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities : - CVE-2004-1617 Michal Zalewski discovered that lynx is not able to grok invalid HTML including a TEXTAREA tag with a large COLS value and a large tag name in an element that is not terminated, and loops forever trying to render the broken HTML. - CVE-2005-3120 Ulf Harnhammar discovered a buffer overflow that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296340" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2004-1617" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-3120" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1085" ); script_set_attribute( attribute:"solution", value: "Upgrade the lynx-cur package. For the old stable distribution (woody) these problems have been fixed in version 2.8.5-2.5woody1. For the stable distribution (sarge) these problems have been fixed in version 2.8.6-9sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lynx-cur"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"lynx-cur", reference:"2.8.5-2.5woody1")) flag++; if (deb_check(release:"3.0", prefix:"lynx-cur-wrapper", reference:"2.8.5-2.5woody1")) flag++; if (deb_check(release:"3.1", prefix:"lynx-cur", reference:"2.8.6-9sarge1")) flag++; if (deb_check(release:"3.1", prefix:"lynx-cur-wrapper", reference:"2.8.6-9sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-876.NASL description Ulf Harnhammar discovered a buffer overflow in lynx, a text-mode browser for the WWW that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 22742 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22742 title Debian DSA-876-1 : lynx-ssl - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-876. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22742); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-3120"); script_xref(name:"DSA", value:"876"); script_name(english:"Debian DSA-876-1 : lynx-ssl - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Ulf Harnhammar discovered a buffer overflow in lynx, a text-mode browser for the WWW that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-876" ); script_set_attribute( attribute:"solution", value: "Upgrade the lynx-ssl package. For the old stable distribution (woody) this problem has been fixed in version 2.8.4.1b-3.2. For the stable distribution (sarge) this problem has been fixed in version 2.8.5-2sarge1 of lynx." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lynx-ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"lynx-ssl", reference:"2.8.4.1b-3.2")) flag++; if (deb_check(release:"3.1", prefix:"lynx-ssl", reference:"2.8.5-2sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-803.NASL description An updated lynx package that corrects a security flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Lynx is a text-based Web browser. Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 20051 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20051 title RHEL 2.1 / 3 / 4 : lynx (RHSA-2005:803) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:803. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(20051); script_version ("1.24"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-3120"); script_bugtraq_id(15117); script_xref(name:"RHSA", value:"2005:803"); script_name(english:"RHEL 2.1 / 3 / 4 : lynx (RHSA-2005:803)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated lynx package that corrects a security flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Lynx is a text-based Web browser. Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-3120" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:803" ); script_set_attribute(attribute:"solution", value:"Update the affected lynx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:lynx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(2\.1|3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x / 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:803"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"lynx-2.8.4-18.1.1")) flag++; if (rpm_check(release:"RHEL3", reference:"lynx-2.8.5-11.1")) flag++; if (rpm_check(release:"RHEL4", reference:"lynx-2.8.5-18.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lynx"); } }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200510-15.NASL description The remote host is affected by the vulnerability described in GLSA-200510-15 (Lynx: Buffer overflow in NNTP processing) When accessing a NNTP URL, Lynx connects to a NNTP server and retrieves information about the available articles in the target newsgroup. Ulf Harnhammar discovered a buffer overflow in a function that handles the escaping of special characters. Impact : An attacker could setup a malicious NNTP server and entice a user to access it using Lynx (either by creating NNTP links on a web page or by forcing a redirect for Lynx users). The data returned by the NNTP server would trigger the buffer overflow and execute arbitrary code with the rights of the user running Lynx. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 20035 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20035 title GLSA-200510-15 : Lynx: Buffer overflow in NNTP processing code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200510-15. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(20035); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-3120"); script_xref(name:"GLSA", value:"200510-15"); script_name(english:"GLSA-200510-15 : Lynx: Buffer overflow in NNTP processing"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200510-15 (Lynx: Buffer overflow in NNTP processing) When accessing a NNTP URL, Lynx connects to a NNTP server and retrieves information about the available articles in the target newsgroup. Ulf Harnhammar discovered a buffer overflow in a function that handles the escaping of special characters. Impact : An attacker could setup a malicious NNTP server and entice a user to access it using Lynx (either by creating NNTP links on a web page or by forcing a redirect for Lynx users). The data returned by the NNTP server would trigger the buffer overflow and execute arbitrary code with the rights of the user running Lynx. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200510-15" ); script_set_attribute( attribute:"solution", value: "All Lynx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-client/lynx-2.8.5-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:lynx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/19"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-client/lynx", unaffected:make_list("ge 2.8.5-r1"), vulnerable:make_list("lt 2.8.5-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Lynx"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_C01170BF499011DAA1B8000854D03344.NASL description Ulf Harnhammar reports : When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow. last seen 2020-06-01 modified 2020-06-02 plugin id 21506 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21506 title FreeBSD : lynx -- remote buffer overflow (c01170bf-4990-11da-a1b8-000854d03344) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(21506); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:37"); script_cve_id("CVE-2005-3120"); script_name(english:"FreeBSD : lynx -- remote buffer overflow (c01170bf-4990-11da-a1b8-000854d03344)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Ulf Harnhammar reports : When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow." ); # http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a40354e4" ); # https://vuxml.freebsd.org/freebsd/c01170bf-4990-11da-a1b8-000854d03344.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1447932b" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-lynx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:lynx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:lynx-ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"lynx<2.8.5_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"lynx>2.8.6*<2.8.6d14")) flag++; if (pkg_test(save_report:TRUE, pkg:"ja-lynx<2.8.5_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"ja-lynx>2.8.6*<2.8.6d14")) flag++; if (pkg_test(save_report:TRUE, pkg:"lynx-ssl<2.8.5_1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-206-1.NASL description Ulf Harnhammar discovered a remote vulnerability in Lynx when connecting to a news server (NNTP). The function that added missing escape chararacters to article headers did not check the size of the target buffer. Specially crafted news entries could trigger a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user running lynx. In order to exploit this, the user is not even required to actively visit a news site with Lynx since a malicious HTML page could automatically redirect to an nntp:// URL with malicious news items. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20622 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20622 title Ubuntu 4.10 / 5.04 / 5.10 : lynx vulnerability (USN-206-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-206-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20622); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2005-3120"); script_xref(name:"USN", value:"206-1"); script_name(english:"Ubuntu 4.10 / 5.04 / 5.10 : lynx vulnerability (USN-206-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Ulf Harnhammar discovered a remote vulnerability in Lynx when connecting to a news server (NNTP). The function that added missing escape chararacters to article headers did not check the size of the target buffer. Specially crafted news entries could trigger a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user running lynx. In order to exploit this, the user is not even required to actively visit a news site with Lynx since a malicious HTML page could automatically redirect to an nntp:// URL with malicious news items. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected lynx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:lynx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10|5\.04|5\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04 / 5.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"lynx", pkgver:"2.8.5-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"lynx", pkgver:"2.8.5-2ubuntu0.5.04")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"lynx", pkgver:"2.8.5-2ubuntu0.5.10")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lynx"); }NASL family Fedora Local Security Checks NASL id FEDORA_2005-994.NASL description This package fixes a security bug (CVE-2005-3120) when handling connections to NNTP (news) servers. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20028 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20028 title Fedora Core 4 : lynx-2.8.5-23.1 (2005-994) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2005-310-03.NASL description New Lynx packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. An overflow could result in the execution of arbitrary code when using Lynx to connect to a malicious NNTP server. last seen 2020-06-01 modified 2020-06-02 plugin id 54864 published 2011-05-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54864 title Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : lynx (SSA:2005-310-03) NASL family Fedora Local Security Checks NASL id FEDORA_2005-993.NASL description This package fixes a security bug (CVE-2005-3120) when handling connections to NNTP (news) servers. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20027 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20027 title Fedora Core 3 : lynx-2.8.5-18.0.1 (2005-993)
Oval
| accepted | 2013-04-29T04:18:36.892-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:9257 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html
- http://www.redhat.com/support/errata/RHSA-2005-803.html
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170253
- http://www.debian.org/security/2005/dsa-874
- http://www.debian.org/security/2005/dsa-876
- http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html
- http://secunia.com/advisories/17216
- http://secunia.com/advisories/17360
- http://securitytracker.com/id?1015065
- http://www.securityfocus.com/bid/15117
- http://www.openpkg.org/security/OpenPKG-SA-2005.026-lynx.html
- ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.47/SCOSA-2005.47.txt
- ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.7/SCOSA-2006.7.txt
- http://secunia.com/advisories/17445
- http://secunia.com/advisories/18376
- http://secunia.com/advisories/17444
- http://support.avaya.com/elmodocs2/security/ASA-2006-010.htm
- http://www.gentoo.org/security/en/glsa/glsa-200510-15.xml
- http://www.novell.com/linux/security/advisories/2005_25_sr.html
- http://secunia.com/advisories/17150
- http://secunia.com/advisories/17230
- http://secunia.com/advisories/17231
- http://secunia.com/advisories/17238
- http://secunia.com/advisories/17248
- http://secunia.com/advisories/17340
- http://secunia.com/advisories/17480
- http://secunia.com/advisories/18584
- http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.423056
- http://www.debian.org/security/2006/dsa-1085
- http://secunia.com/advisories/20383
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:186
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9257
- https://usn.ubuntu.com/206-1/
- http://www.securityfocus.com/archive/1/435689/30/4740/threaded
- http://www.securityfocus.com/archive/1/419763/100/0/threaded