Overflow in lynx processing of mailto: URLs

Date: Sun, 3 May 1998 20:10:25 +0200
From: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
To: BUGTRAQ@NETSPACE.ORG
Subject: Lynx's 2.8 buffer overflow

Hello again,

I (?) found remote buffer overflow in lynx built-in mailer, which can be
exploited when victim tries to follow hyperlink. Lynx makes blind
assumption on e-mail address length, and sprintfs it into 512-bytes long
buffer. To ensure, view this html:

<a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>

(you should use over 2 kB of 'A's, because there are also other small
buffers on lynx's stack at the time). Why it's dangerous? Because even if
you hit Ctrl+C or Ctrl+G to exit mailer, lynx will execute given code
trying to back from sendform(...) function:

Comment request cancelled!!!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

[...]

Lynx now exiting with signal:  11
IOT trap/Abort

In above case, lynx caused SEGV trying to execute 0x41414141 ('A' has
code 0x41). But of course it's exploitable in traditional way.

Fix: replace sprintf with snprintf.

_______________________________________________________________________
Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]