COMMAND
w3m
SYSTEMS AFFECTED
w3m 0.2.1
PROBLEM
Following is based on a SNS Advisory No.32. w3m, a text file/Web
browser which is similar to lynx, has a buffer overflow
vulnerability in a routine to parse MIME header. If a user
retrieves/downloads a malformed Web page with w3m, a malicious
Web server administrator may gain an escalated privilege from the
w3m user, which is run by w3m remotely.
w3m handles MIME header included in the request/response massage
within the HTTP session like other web browsers. A buffer
overflow will be occuerred when w3m accept MIME encoded header
with a base 64 format. The length of encoded header must be over
34 characters. The following are a memory dump and contents of
register when a buffer overflow is occurred.
MIME header:
=?AAAAAAAAAAAAAA(50 'A' characters in the header)AAAAAAAA?=
memory dump:
0xbffff8a0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8b0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8c0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8d0: 0xbf0a4141 0x080e0000 0x00000001 0x080792c3
register:
ESP: 0xbffff8d0
EIP: 0x41414141
If a remote Web administrator (a remote attacker) could embed
codes in the 0x41 part and control the EIP, it is possible to
execute arbitrary codes in the privilege of w3m user.
Discovered by Ogasawara Satoshi and Kobayashi Shigehiro.
SOLUTION
A patch to fix this issue is announced from a developer's mailing
list of w3m. A patch to fix this issue[Archive number 2066:
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2066.html
A recommendation to clean up #2066:
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2067.html
Some information in English is available here:
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/536.html
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/537.html