lynx-dev Re: Lynx's 2.8 buffer overflow [BSDI-Support-Request #50572]

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev Re: Lynx's 2.8 buffer overflow [BSDI-Support-Request #50572]

From:	Jeffrey C Honig
Subject:	lynx-dev Re: Lynx's 2.8 buffer overflow [BSDI-Support-Request #50572]
Date:	Wed, 06 May 1998 21:40:05 -0400

Do you have, or will you soon have a patch to 2.8 the buffer overflow
problem in 2.8 (as described below)?  I have also verified that this
is a problem with 2.6 and 2.7.2.  We would like to be able to provide
a quick response for our customers and would appreciate any help you
could provide in addressing this problem.

We are distributing Lynx 2.6 with our current OS release (3.1) and
planned on distributing 2.7.2 with 4.0, but we should still be able to
upgrade to 2.8 before the release to address this security concern.
We will also consider upgrading our 3.1 customers to 2.8+patch if that
is necessary.

Thanks.

Jeff


Date:   Sun, 3 May 1998 20:10:25 +0200
Reply-To: Michal Zalewski <address@hidden>
Sender: Bugtraq List <address@hidden>
From: Michal Zalewski <address@hidden>
Subject: Lynx's 2.8 buffer overflow [BSDI-Support-Request #50572]
To: address@hidden

Hello again,

I (?) found remote buffer overflow in lynx built-in mailer, which can be
exploited when victim tries to follow hyperlink. Lynx makes blind
assumption on e-mail address length, and sprintfs it into 512-bytes long
buffer. To ensure, view this html:

<a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>

(you should use over 2 kB of 'A's, because there are also other small
buffers on lynx's stack at the time). Why it's dangerous? Because even if
you hit Ctrl+C or Ctrl+G to exit mailer, lynx will execute given code
trying to back from sendform(...) function:

Comment request cancelled!!!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

[...]

Lynx now exiting with signal:  11
IOT trap/Abort

In above case, lynx caused SEGV trying to execute 0x41414141 ('A' has
code 0x41). But of course it's exploitable in traditional way.

Fix: replace sprintf with snprintf.

_______________________________________________________________________
Michal Zalewski address@hidden <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

[Prev in Thread]

Current Thread

[Next in Thread]

lynx-dev Re: Lynx's 2.8 buffer overflow [BSDI-Support-Request #50572], Jeffrey C Honig <=
- Re: lynx-dev Re: Lynx's 2.8 buffer overflow [BSDI-Support-Request #50572], T.E.Dickey, 1998/05/07
  - Re: lynx-dev Re: Lynx's 2.8 buffer overflow [BSDI-Support-Request #50572], Jeffrey C Honig, 1998/05/07

Prev by Date: Re: lynx-dev Re: msg00798.html (was: 0x2276 handling)
Next by Date: Re: lynx-dev demise of lynx-learners?
Previous by thread: lynx-dev How to get Dos lynx to use the Windows winsocket dll
Next by thread: Re: lynx-dev Re: Lynx's 2.8 buffer overflow [BSDI-Support-Request #50572]
Index(es):
- Date
- Thread