Overflow in lynx processing of mailto: URLs

Description:a mailto: URL with a long email address causes lynx 2.8 to crashh and can cause it to execute arbitrary code
Author:Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
Compromise:remote pages can cause commands to be executed on the lynx user's machine. This can also be used to break out of restricted lynx shells.
Vulnerable Systems:Those running lynx 2.8 and probably earlier.
Date:3 May 1998

Date: Sun, 3 May 1998 20:10:25 +0200
From: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
Subject: Lynx's 2.8 buffer overflow

Hello again,

I (?) found remote buffer overflow in lynx built-in mailer, which can be
exploited when victim tries to follow hyperlink. Lynx makes blind
assumption on e-mail address length, and sprintfs it into 512-bytes long
buffer. To ensure, view this html:

<a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>

(you should use over 2 kB of 'A's, because there are also other small
buffers on lynx's stack at the time). Why it's dangerous? Because even if
you hit Ctrl+C or Ctrl+G to exit mailer, lynx will execute given code
trying to back from sendform(...) function:

Comment request cancelled!!!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()


Lynx now exiting with signal:  11
IOT trap/Abort

In above case, lynx caused SEGV trying to execute 0x41414141 ('A' has
code 0x41). But of course it's exploitable in traditional way.

Fix: replace sprintf with snprintf.

Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: