[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
lynx-dev have you checked this one ? (fwd)
|
From: |
Subir Grewal |
|
Subject: |
lynx-dev have you checked this one ? (fwd) |
|
Date: |
Thu, 3 Sep 1998 16:49:00 -0500 (GMT-0500) |
I've been in India for a while, and noticed this in my box when I got
back.
---------- Forwarded message ----------
Date: Sun, 14 Jun 1998 20:00:08 +0300
From: sysadmin <address@hidden>
To: address@hidden
Subject: have you checked this one ?
A very important source of bugs is www.rootshell.com
there is an article on you on May 1 98:
enjoy.
> [ http://www.rootshell.com/ ]
>
> Date: Sun, 3 May 1998 20:10:25 +0200
> From: Michal Zalewski <address@hidden>
> Subject: Lynx's 2.8 buffer overflow
>
> Hello again,
>
> I (?) found remote buffer overflow in lynx built-in mailer, which can be
> exploited when victim tries to follow hyperlink. Lynx makes blind assumption
> on e-mail address length, and sprintfs it into 512-bytes long buffer. To
> ensure, view this html:
>
> <a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>
>
> (you should use over 2 kB of 'A's, because there are also other small
> buffers on lynx's stack at the time). Why it's dangerous? Because even if
> you hit Ctrl+C or Ctrl+G to exit mailer, lynx will execute given code trying
> to back from sendform(...) function:
>
> Comment request cancelled!!!
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
>
> [...]
>
> Lynx now exiting with signal: 11
> IOT trap/Abort
>
> In above case, lynx caused SEGV trying to execute 0x41414141 ('A' has
> code 0x41). But of course it's exploitable in traditional way.
>
> Fix: replace sprintf with snprintf.
>
> ____________________________________________
- lynx-dev have you checked this one ? (fwd),
Subir Grewal <=