Hello again,
I (?) found remote buffer overflow in lynx built-in mailer, which can be
exploited when victim tries to follow hyperlink. Lynx makes blind
assumption on e-mail address length, and sprintfs it into 512-bytes long
buffer. To ensure, view this html:
<a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>
(you should use over 2 kB of 'A's, because there are also other small
buffers on lynx's stack at the time). Why it's dangerous? Because even if
you hit Ctrl+C or Ctrl+G to exit mailer, lynx will execute given code
trying to back from sendform(...) function:
Comment request cancelled!!!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
[...]
Lynx now exiting with signal: 11
IOT trap/Abort
In above case, lynx caused SEGV trying to execute 0x41414141 ('A' has
code 0x41). But of course it's exploitable in traditional way.
Fix: replace sprintf with snprintf.
_______________________________________________________________________
Michal Zalewski [lcamtufat_private] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:08 PDT