SCO Security Advisory - Ulf Harnhammar has reported a vulnerability in Lynx, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the HTrjis() function in the handling of article headers sent from NNTP (Network News Transfer Protocol) servers. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious web site which redirects to a malicious NNTP server via the nntp: URI handler. Successful exploitation allows execution of arbitrary code.
3a4f408a9e7a6a4943c8178a7eda2a2ee13c50995972d5fa0fc6e533172fbd78
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.3 UnixWare 7.1.4 : Lynx NNTP Buffer Overflow Vulnerability
Advisory number: SCOSA-2005.47
Issue date: 2005 November 08
Cross reference: fz533159
CVE-2005-3120
______________________________________________________________________________
1. Problem Description
Ulf Harnhammar has reported a vulnerability in Lynx, which can
be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in the
"HTrjis()" function in the handling of article headers sent from
NNTP (Network News Transfer Protocol) servers. This can be
exploited to cause a stack-based buffer overflow by e.g.
tricking a user into visiting a malicious web site which
redirects to a malicious NNTP server via the "nntp:" URI
handler.
Successful exploitation allows execution of arbitrary code.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-3120 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 /usr/gnu/bin/lynx
UnixWare 7.1.4 /usr/gnu/bin/lynx
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.47
4.2 Verification
MD5 (p533159.image) = bc3fd8c36aea096b7ed75a2f27950b1e
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download p533159.image to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/p533159.image
5. UnixWare 7.1.4
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.47
5.2 Verification
MD5 (p533159.image) = bc3fd8c36aea096b7ed75a2f27950b1e
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download p533159.image to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/p533159.image
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120
http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html
http://securitytracker.com/id?1015065
http://secunia.com/advisories/17216
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incident fz533159.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgments
SCO would like to thank Ulf Harnhammar for reporting this
vulnerability.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)
iD8DBQFDcPYVaqoBO7ipriERAjoRAJ0U1Ik6iVjuCU2XFRAAiJ1k157D8gCeOXw6
+lnmbCl8lvRH/GYwLg2saLE=
=g4hZ
-----END PGP SIGNATURE-----