lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV System Compromised via Lynx

From: Bela Lubkin
Subject: Re: LYNX-DEV System Compromised via Lynx
Date: Sun, 20 Apr 1997 20:16:37 -0700 
Chuck Hamer wrote:

> I administer a unix system (hp9000 D-Class; HPUX 10.01) that functions
> both as a news server and as a system from which lynx can be run
> by students in campus libraries.
> 
> I just discovered a ".crack" directory in the lynx client home
> directory.  This directory contains the crack v4.1 package as well as
> a password file on which cracking had been attempted.  Earlier this year
> I was contacted by a sys admin at Princeton University who said that 
> several machines at Princeton had been compromised by a user on this
> same machine.
> 
> What I am trying to figure out is how the person who created the
> .crack directory was able to do this.
> 
> The situation:
> 
>     ----------     ----------------           ------------------
>    | Terminal |---| Telnet Gateway |---LAN---| Lynx client host |
>     ----------     ----------------           ------------------
> 
> Students obtain access to lynx via a menu item on the telnet gateway.
> When they select lynx, the telnet gateway telnets to the lynx client
> host and logs in (login: l-client).  The telnet gateway does all
> the telnet and login processing and the user receives a "homepage"
> via lynx.
> 
> Note: The l-client account does not have a password.  The system is
>       set up such that when a user logs in, lynx is run instead of
>       a shell.  When the user quits lynx he is logged out of the
>       system.  I thought that this type of approach would prevent
>       excaping to a shell.

Exactly how is this implemented?  The problem may actually have nothing
to do with Lynx.  There are ways to set up a secure account, and ways
that don't work, and you haven't given any real information on how you
did it.

> Another Note: There are NO user shell accounts on this system.  The 
>               only non-system users are news (Usenet), l-client (lynx),
>               g-client (gopher), and root.  I should be the only user
>               able to log in (as root) and obtain a shell account.
> 
> What I'm trying to figure out is how a lynx user was able to escape
> to a shell and install crack on this machine.  Since you are the
> lynx experts, I was hoping you might be able to provide some pointers.

If it *is* a Lynx problem, the first question is: what version of Lynx?
Second: how are you invoking it (what command-line arguments)?  What
special measures have you taken in your lynx.cfg and .lynxrc, to prevent
shell escapes?

If you took no special measures, the answer is:

  The user used your telnet mechanism, got into Lynx, then hit "!",
  which gave him a shell prompt, Just Like It Was Supposed To.

>Bela<
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]