lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev fwd and fix: Lynx's 2.8 buffer overflow

From: Bela Lubkin
Subject: lynx-dev fwd and fix: Lynx's 2.8 buffer overflow
Date: Wed, 6 May 1998 02:34:12 -0700 
Attachments: (1) fix (as uuencoded, gzip'd, gdiff -c output); (2) HTML
file which can be used to (coarsely) test the fix; (3) mail from the
bugtraq mailing list which provoked the fix.

Summary of problem: following a mailto:very-log-address URL causes a
buffer overrun, leading to a Lynx crash or possibly worse consequences.

Summary of solution: replace sprintf() calls with safer alternatives,
generally StrAllocCopy() and StrAllocCat().  (The original poster
suggested snprintf(), but Lynx runs on systems which do not have it.)

This patch contains changes to DOSPATH and VMS code which I could not
test.  I believe it to be correct, but it should be verified by DOS and
VMS users.

The patch is against Lynx 2.8.1dev.9

>Bela<

=============================================================================

begin 600 LYMail.dif.gz
M'XL(`!,B4#4"`^U:ZW/:2!+_3/Z*AEP2P`(D0""<QYZSL2M;A1\5[%Q2ZRM*
ME@:CLY!4&A$OE_7_?CTS&B&!>)C8=YLZ\\&&T?3[UST]HZE6J]#_>FPZ;MVJ
address@hidden@"*'9`E7?;^G[30VT7L]X5JO5DJF%?Q`;CLT90`=4;;^M[K?C
M6=7LA_T&36D!_\%8:(K6`OQ2>[8'address@hidden<CQT*(\<E8(V)=8.\1WX(address@hidden
M+QJ5*W`U'8U("/XW$H93CX+O<6$-56^H';B:P7OBFH)5?WIUXWCP!KE=^7\W
MPXD?SNJ6/WE7!SASB4D)V+[W*@)D'?KVU")@>C/PR"UR);1>KW,address@hidden;^
M9$*\B,+$#)EFI1J\[Y>address@hidden&M#S1R7+<6^)0Z5ZA_HB+J$(T)?#X>"%:6;Y,T
MZQ,address@hidden),@8S17RD0M/],`)_M&"XH&address@hidden<`SQW/<J<address@hidden<?SR]0"5H?O\L,
M1U:P./3Q_,P,*6'#>7%JZX;2[J1BU>address@hidden<7X0(HH-[<'Z9G*ZBM#<ZUYX?"
address@hidden'-H7(AXGC.1/GWP1"A]Y(0C0';9N@'S%`U]P[KN,1G.^#Z^,(>F!L
M?F//@M!'9TX2D6,S-*V(address@hidden@<4N!_YTS/A^YD(!9B2&IP13"ESYC0(
M7(=0(85.K_Y%K(AQ>M\7$AKLGT2;-;$5]KM0>D'A!7U!&S'%VTL<N2SA&)24
M?/\9NM+N-87_8MW;X)*(J0X(<3.\<J+0#!W4EME/)Z;address@hidden)II<D-6T[
M))address@hidden(TX2-R9]P=B^7R,H[>8@>0/Y(BY8EJ$2LI;CG#+]T;H`"Z)\24A
MC]FU\PTC!E>NZ=U(&77IB"(4T&UE&H4N\<KQTV$0A5H%WD&K`M_Y3/RP:<61
M$](H'BP,HO#`=7WK5S,J)address@hidden:7*:TES)U#5ZRJZ:F10];.X*8,\B7[Q$`%&
M8R1'3"KRFZ&(J6OS_!VY_BT;D\01F00^&CF325YVZJ0.YI4_C4!758YZ6LGB
M=$-XX.5+G)+^Y,[<D\/,W*%IHQAX`Q03UN?XK_QPF/.R0]?:BHZ+29(=[%,M
M[!IY0;UC\`7QCFG"B7DLI(,VI,L&EV5*#R0Q42##3TQETAQZ=OSAB/%FV:2W
M5$7'U3?)II_1K7N2>/[M1](K9G#_%-L^M,NI]L/address@hidden<W&address@hidden)^0
M3-"3Y<EL&$T"UHUQ9JDG8SM,AI\3%X/;J,*'T\'9P?E'X3;address@hidden:;!&M11`O
MG;4C7#U+"M`9Q=@,F0W*O'[G"*:1'PRM*?8LM(R#0D#,address@hidden,$M
MPC9M_]*[]/Z&4MC_N-^[-9T(address@hidden(HEN82$I2/address@hidden(15-Z
MF&&44F2UPWA*ZNC;address@hidden<F9B7CR41B]+Z67%`-K`2X=S`
MZK\04B%J*:P+PT>address@hidden@P\7[[S<ZG9UI6O,5[H[8`&5!2:5KDUX"R<7_3X3
MD+^V/US79:BJ8FCS7GYKI7"35MR]22ONW*05=V[2.*6DWVT5*>[2I!77-&E;
M]6?_J]:LVVLIB(\$L#DU21`_?MU?69SS*^AS5C!&R1>F&&ZYF5(<\\VN8K1Z
M">9WLNNGKKGW+XKW]7,>address@hidden/address@hidden,@F(^G96`[+'(A%-']OZIU_9N3$
M53AR+#&S&F#=\3W3'7KFA*1*5,(KWJ;_;JB"DQ#*#F!2DZKI9BGFHF1&Y^6O
MEB*+O;address@hidden:?_PX`1X$N*S\T\7AXO/1!N&#X\.^H/#C,8Q#F/C.6![3:6G
address@hidden/48#2.1XQ"['A!7X\\]D#!U28>=(*TW;^TL%X1$<G7M$V<3=J=:<
M;T_CO<S9E*\1<.[OB].J^%QO3$R;A/5D8D,8ZZ7#E2V+N(address@hidden,^K),IK4EY
M5F<$?X4M.]G\BR4VXL/4IJZCVIU6NM=\$+5SM>'JYY<?.65=(4O8H/VKK,H/
M3IM9J;?3P6GD1.E+[>)3GS<&7VK'address@hidden/5YB_'2&[^2IS9/C\"9/&2XV6&
M)`[_ER^A*G]4X!=('J"/V+H0^?O;D)5*2#!W&ZQTF\3",JJDM?O0QXY*@<^8
MIH[O2:3UOYY\&7X^_#3X[?1D"PD"6$97T5IJ9A/SD"[/Q47L\CG"6(NSPG'?
M4YU4'K-DIN1U%__G"_TFZB2`"address@hidden"T0P-XE:[1Y&5.\D7=XHUB`^*4`H
MCD<V8G%D5^(3\"^ULW3!EZ6+G:H/'2^81O/M*L/YHDFYQ)"A1JIUCEKJ-N8-
MFX!IJX>5H:TF]>_AC5H!U`4>I=6V;&/O0D7,address@hidden(!S:6HCNP4VTR7F[LP
M'87^9%6(-L$Y1^GY4/'D='AP<GKR]?CT8C`\/#[XK9^L.[(WX*%LMYMHB:XN
MA7*C);D>%0:M7ZRVM'-==.YG:&X(VZT6&MY6%]KE>=,D(Q4W5VQW5>^J=#%0
MZ\([$*0/&.&%1J1M:&B$T5MH77_0B-QH)+8\>G`WM"6QS88,W*J.G:UBU62+
M_WVY5*[H"@N;UI"[3`_%X\!>!^"?Y.W:]CJM70ZSC=^V:^%&GR\;D>MHO8=+
M5T?M)D6NX&"?7^Y_%:U&#9KI$X[X2]4*]O9PVJM+]=5KV88M'E)PGUN!5DEF
MI*N./"^61V0T"I,S"3Z&E"C!"I(!IU;CW\69F]9A:VY'[R8U;6?%,\4P3V^I
M7LY8XNY-.N<ZO]OL*%JWI:6N<'2[;,AH/5T,address@hidden;5L<1W.^K3U8#UA]2:
MH6([8VB=I\L!_U^7`[":-%E)Z3U=#WC8ZP&:T3(PH]J]IPL"3Q<$[G-!`(&#
MO8NA-].';K=C=DFS7/:address@hidden,V)!E93I+:L.U789KL"Q;>@address@hidden(I+,
M]/!Y4'F]W)@6LVOMO=XAR?-PT?N,+->GI,S$%`K8T/address@hidden/J<1"77D87
M%M]$S_QI*.^`;G>YH)!Y><5^Y[QFYK*S[YB+R?NIN3%,^0\$$W59>[E1$H$)
MYA;/VVF1_ZQW[FG=]$'>(address@hidden;[BWQ-#6=QKN@:2=[C045]YI*.;>
2:2BF7_<]%.3^`R#R.=)address@hidden
`
end

=============================================================================

begin 600 mailtoolong.html.gz
M'XL(".0D4#4"`VUA:6QT;V]L;VYG+FAT;6P`LTE4R"A*3;-5RDW,S"G)MW(<
K!:address@hidden(R"43`*1L$H&`6C8(@!)R4[7T=/'P5?5T4;address@hidden:(XY`H``'(<
`
end

=============================================================================

--- Forwarded mail from Michal Zalewski <address@hidden>

Approved-By: address@hidden
X-Sender: address@hidden
X-Hate: Where do you want to go to die?
Message-ID: <address@hidden>
Date:   Sun, 3 May 1998 20:10:25 +0200
Reply-To: Michal Zalewski <address@hidden>
Sender: Bugtraq List <address@hidden>
From:   Michal Zalewski <address@hidden>
Subject:      Lynx's 2.8 buffer overflow
To:     address@hidden

Hello again,

I (?) found remote buffer overflow in lynx built-in mailer, which can be
exploited when victim tries to follow hyperlink. Lynx makes blind
assumption on e-mail address length, and sprintfs it into 512-bytes long
buffer. To ensure, view this html:

<a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>

(you should use over 2 kB of 'A's, because there are also other small
buffers on lynx's stack at the time). Why it's dangerous? Because even if
you hit Ctrl+C or Ctrl+G to exit mailer, lynx will execute given code
trying to back from sendform(...) function:

Comment request cancelled!!!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

[...]

Lynx now exiting with signal:  11
IOT trap/Abort

In above case, lynx caused SEGV trying to execute 0x41414141 ('A' has
code 0x41). But of course it's exploitable in traditional way.

Fix: replace sprintf with snprintf.

_______________________________________________________________________
Michal Zalewski address@hidden <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

--- End of forwarded message from Michal Zalewski <address@hidden>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]