Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)
From: posterkid () PSNW COM (brian j. pardy)
Date: Wed, 28 Oct 1998 21:47:53 -0800


Michal Zalewski wrote:
Bugs in lynx 2.8.x (including latest development versions):
-----------------------------------------------------------

Trivial overflows in protocol handlers:

<a href="rlogin://(approx. 1454 times 'A')">...</a>,
<a href="telnet://(approx. 1454 times 'A')">...</a> or
<a href="tn3270://(approx. 1454 times 'A')">...</a>

Choose your favourite protocol. Beautiful SEGV at 0x41414141. Also,
overflows in finger://, cso://, nntp:// and news:// handlers,
unfortunately not-so-easily exploitable. 1454 bytes is more than perfect
for common lynx 2.8.x under Linux. May vary under other platforms.

Not much to say. I reported similar overflow in mailto: protocol months
ago. I have no idea why it hasn't been fixed.

Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz

Solution: ehh...

Since you obviously knew of the development versions enough to download
and test them for this, my sincere thanks for NOT informing the lynx-dev
list of this at all.

lynx-dev () sig net is mentioned PROMINENTLY in the lynx documentation.

It's only common courtesy to report these things to the developers before
a public list.

<sigh>

FWIW, from CHANGES (for 2.8.1rel.2, the most recent version):

1998-05-10 (2.8.1dev.10)
[...]
* fix for buffer-overrun in LYMail.c when processing a mailto:very-log-address
  URL - BL

--
"There is hopeful symbolism in the fact that flags do not wave in a
vacuum."
                -- Arthur C. Clarke



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]