[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev have you checked this one ? (fwd)
|
From: |
dickey |
|
Subject: |
Re: lynx-dev have you checked this one ? (fwd) |
|
Date: |
Thu, 3 Sep 1998 17:50:18 -0400 (EDT) |
> I've been in India for a while, and noticed this in my box when I got
> back.
yes - it is fixed in the development version.
> ---------- Forwarded message ----------
> Date: Sun, 14 Jun 1998 20:00:08 +0300
> From: sysadmin <address@hidden>
> To: address@hidden
> Subject: have you checked this one ?
>
> A very important source of bugs is www.rootshell.com
>
> there is an article on you on May 1 98:
>
> enjoy.
>
> > [ http://www.rootshell.com/ ]
> >
> > Date: Sun, 3 May 1998 20:10:25 +0200
> > From: Michal Zalewski <address@hidden>
> > Subject: Lynx's 2.8 buffer overflow
> >
> > Hello again,
> >
> > I (?) found remote buffer overflow in lynx built-in mailer, which can be
> > exploited when victim tries to follow hyperlink. Lynx makes blind
> > assumption
> > on e-mail address length, and sprintfs it into 512-bytes long buffer. To
> > ensure, view this html:
> >
> > <a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>
> >
> > (you should use over 2 kB of 'A's, because there are also other small
> > buffers on lynx's stack at the time). Why it's dangerous? Because even if
> > you hit Ctrl+C or Ctrl+G to exit mailer, lynx will execute given code
> > trying
> > to back from sendform(...) function:
> >
> > Comment request cancelled!!!
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x41414141 in ?? ()
> >
> > [...]
> >
> > Lynx now exiting with signal: 11
> > IOT trap/Abort
> >
> > In above case, lynx caused SEGV trying to execute 0x41414141 ('A' has
> > code 0x41). But of course it's exploitable in traditional way.
> >
> > Fix: replace sprintf with snprintf.
> >
> > ____________________________________________
--
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey