lynx-2.8.x-BOF.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType

packetstorm🔗 packetstormsecurity.com👁 28 Views

Lynx 2.8.x has trivial buffer overflows in several protocol handlers, leading to segmentation faults.

`Date: Sun, 6 Sep 1998 00:53:24 +0200  
From: Michal Zalewski <[email protected]>  
To: [email protected]  
Subject: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)  
  
Bugs in lynx 2.8.x (including latest development versions):  
-----------------------------------------------------------  
  
Trivial overflows in protocol handlers:  
  
<a href="rlogin://(approx. 1454 times 'A')">...</a>,  
<a href="telnet://(approx. 1454 times 'A')">...</a> or  
<a href="tn3270://(approx. 1454 times 'A')">...</a>  
  
Choose your favourite protocol. Beautiful SEGV at 0x41414141. Also,  
overflows in finger://, cso://, nntp:// and news:// handlers,  
unfortunately not-so-easily exploitable. 1454 bytes is more than perfect  
for common lynx 2.8.x under Linux. May vary under other platforms.  
  
Not much to say. I reported similar overflow in mailto: protocol months  
ago. I have no idea why it hasn't been fixed.  
  
Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz  
  
Solution: ehh...  
  
_______________________________________________________________________  
Michal Zalewski [[email protected]] [ENSI / marchew] [dione.ids.pl SYSADM]  
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:  
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]  
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]  
`

17 Aug 1999 00:00Current

7.4High risk

Vulners AI Score7.4