lynx-2.8.x-BOF.txt

1999-08-17T00:00:00
ID PACKETSTORM:15204
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Sun, 6 Sep 1998 00:53:24 +0200  
From: Michal Zalewski <lcamtuf@IDS.PL>  
To: BUGTRAQ@netspace.org  
Subject: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)  
  
Bugs in lynx 2.8.x (including latest development versions):  
-----------------------------------------------------------  
  
Trivial overflows in protocol handlers:  
  
<a href="rlogin://(approx. 1454 times 'A')">...</a>,  
<a href="telnet://(approx. 1454 times 'A')">...</a> or  
<a href="tn3270://(approx. 1454 times 'A')">...</a>  
  
Choose your favourite protocol. Beautiful SEGV at 0x41414141. Also,  
overflows in finger://, cso://, nntp:// and news:// handlers,  
unfortunately not-so-easily exploitable. 1454 bytes is more than perfect  
for common lynx 2.8.x under Linux. May vary under other platforms.  
  
Not much to say. I reported similar overflow in mailto: protocol months  
ago. I have no idea why it hasn't been fixed.  
  
Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz  
  
Solution: ehh...  
  
_______________________________________________________________________  
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]  
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:  
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]  
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]  
`