Bugtraq mailing list archives
Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)
From: posterkid () PSNW COM (brian j. pardy)
Date: Wed, 28 Oct 1998 21:47:53 -0800
Michal Zalewski wrote:
Bugs in lynx 2.8.x (including latest development versions): ----------------------------------------------------------- Trivial overflows in protocol handlers: <a href="rlogin://(approx. 1454 times 'A')">...</a>, <a href="telnet://(approx. 1454 times 'A')">...</a> or <a href="tn3270://(approx. 1454 times 'A')">...</a> Choose your favourite protocol. Beautiful SEGV at 0x41414141. Also, overflows in finger://, cso://, nntp:// and news:// handlers, unfortunately not-so-easily exploitable. 1454 bytes is more than perfect for common lynx 2.8.x under Linux. May vary under other platforms. Not much to say. I reported similar overflow in mailto: protocol months ago. I have no idea why it hasn't been fixed. Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz Solution: ehh...
Since you obviously knew of the development versions enough to download and test them for this, my sincere thanks for NOT informing the lynx-dev list of this at all. lynx-dev () sig net is mentioned PROMINENTLY in the lynx documentation. It's only common courtesy to report these things to the developers before a public list. <sigh> FWIW, from CHANGES (for 2.8.1rel.2, the most recent version): 1998-05-10 (2.8.1dev.10) [...] * fix for buffer-overrun in LYMail.c when processing a mailto:very-log-address URL - BL -- "There is hopeful symbolism in the fact that flags do not wave in a vacuum." -- Arthur C. Clarke
Current thread:
- Firewall-1 Security Advisory Diligence Risks (Oct 24)
- <Possible follow-ups>
- Re: Firewall-1 Security Advisory Paul Sears (Oct 26)
- Re: Firewall-1 Security Advisory Mnemonix (Oct 27)
- Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Michal Zalewski (Sep 05)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Nick Andrew (Oct 28)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) brian j. pardy (Oct 28)
- [L0pht Advisory] MacOS - FWB passwords easily bypassed Space Rogue (Oct 30)
- Re: Firewall-1 Security Advisory John Horn (Oct 28)
- rootshell hacked via ssh-1.2.26 Felix von Leitner (Oct 28)
- Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Michal Zalewski (Sep 05)
- Re: Firewall-1 Security Advisory David S. Goldberg (Oct 27)
- Re: Firewall-1 Security Advisory Gary Gaskell (Oct 27)
- Re: Firewall-1 Security Advisory Ejovi Nuwere (Oct 29)
- Summary of Printer Sharing and M1CR0S0FT Windows98 Paul Leach (Oct 29)
- Re: Firewall-1 Security Advisory Jason Costomiris (Oct 30)
- Firewall-1 insecurity. Darren Reed (Oct 29)
- Bug in Solaris 2.6 ??? Daniel Ezekiel (Oct 29)
- Re: Firewall-1 Security Advisory Gary Gaskell (Oct 27)
(Thread continues...)