Date: Sun, 6 Sep 1998 00:53:24 +0200
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

Bugs in lynx 2.8.x (including latest development versions):
-----------------------------------------------------------

Trivial overflows in protocol handlers:

<a href="rlogin://(approx. 1454 times 'A')">...</a>,
<a href="telnet://(approx. 1454 times 'A')">...</a> or
<a href="tn3270://(approx. 1454 times 'A')">...</a>

Choose your favourite protocol. Beautiful SEGV at 0x41414141. Also,
overflows in finger://, cso://, nntp:// and news:// handlers,
unfortunately not-so-easily exploitable. 1454 bytes is more than perfect
for common lynx 2.8.x under Linux. May vary under other platforms.

Not much to say. I reported similar overflow in mailto: protocol months
ago. I have no idea why it hasn't been fixed.

Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz

Solution: ehh...

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]