mailing list archives
Lynx's 2.8 buffer overflow
From: lcamtuf () boss staszic waw pl (Michal Zalewski)
Date: Sun, 3 May 1998 20:10:25 +0200
I (?) found remote buffer overflow in lynx built-in mailer, which can be
exploited when victim tries to follow hyperlink. Lynx makes blind
assumption on e-mail address length, and sprintfs it into 512-bytes long
buffer. To ensure, view this html:
<a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>
(you should use over 2 kB of 'A's, because there are also other small
buffers on lynx's stack at the time). Why it's dangerous? Because even if
you hit Ctrl+C or Ctrl+G to exit mailer, lynx will execute given code
trying to back from sendform(...) function:
Comment request cancelled!!!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
Lynx now exiting with signal: 11
In above case, lynx caused SEGV trying to execute 0x41414141 ('A' has
code 0x41). But of course it's exploitable in traditional way.
Fix: replace sprintf with snprintf.
Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
- Lynx's 2.8 buffer overflow Michal Zalewski (May 03)