a mailto: URL with a long email address causes lynx 2.8 to crashh and can cause it to execute arbitrary code
Michal Zalewski <email@example.com>
remote pages can cause commands to be executed on the lynx user's machine. This can also be used to break out of restricted lynx shells.
Those running lynx 2.8 and probably earlier.
3 May 1998
Date: Sun, 3 May 1998 20:10:25 +0200
From: Michal Zalewski <firstname.lastname@example.org>
Subject: Lynx's 2.8 buffer overflow
I (?) found remote buffer overflow in lynx built-in mailer, which can be
exploited when victim tries to follow hyperlink. Lynx makes blind
assumption on e-mail address length, and sprintfs it into 512-bytes long
buffer. To ensure, view this html:
<a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>
(you should use over 2 kB of 'A's, because there are also other small
buffers on lynx's stack at the time). Why it's dangerous? Because even if
you hit Ctrl+C or Ctrl+G to exit mailer, lynx will execute given code
trying to back from sendform(...) function:
Comment request cancelled!!!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
Lynx now exiting with signal: 11
In above case, lynx caused SEGV trying to execute 0x41414141 ('A' has
code 0x41). But of course it's exploitable in traditional way.
Fix: replace sprintf with snprintf.
Michal Zalewski [email@example.com] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: