COMMAND

    w3m

SYSTEMS AFFECTED

    w3m 0.2.1

PROBLEM

    Following is based on a SNS Advisory No.32.  w3m, a text  file/Web
    browser  which  is  similar  to   lynx,  has  a  buffer   overflow
    vulnerability  in  a  routine  to  parse  MIME  header.  If a user
    retrieves/downloads a  malformed Web  page with  w3m, a  malicious
    Web server administrator may gain an escalated privilege from  the
    w3m user, which is run by w3m remotely.

    w3m handles MIME header  included in the request/response  massage
    within  the  HTTP  session  like  other  web  browsers.   A buffer
    overflow will  be occuerred  when w3m  accept MIME  encoded header
    with a base 64 format.  The length of encoded header must be  over
    34 characters.   The following are  a memory dump  and contents of
    register when a buffer overflow is occurred.

        MIME header:
          =?AAAAAAAAAAAAAA(50 'A' characters in the header)AAAAAAAA?=
        
        memory dump:
        0xbffff8a0: 0x41414141 0x41414141 0x41414141 0x41414141
        0xbffff8b0: 0x41414141 0x41414141 0x41414141 0x41414141
        0xbffff8c0: 0x41414141 0x41414141 0x41414141 0x41414141
        0xbffff8d0: 0xbf0a4141 0x080e0000 0x00000001 0x080792c3
        
        register:
        ESP:          0xbffff8d0
        EIP:          0x41414141

    If  a  remote  Web  administrator  (a remote attacker) could embed
    codes in  the 0x41  part and  control the  EIP, it  is possible to
    execute arbitrary codes in the privilege of w3m user.

    Discovered by Ogasawara Satoshi and Kobayashi Shigehiro.

SOLUTION

    A patch to fix this issue is announced from a developer's  mailing
    list of w3m.  A patch to fix this issue[Archive number 2066:

        http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2066.html

    A recommendation to clean up #2066:

        http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2067.html

    Some information in English is available here:

        http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/536.html
        http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/537.html