COMMAND

    lynx

SYSTEMS AFFECTED

    Systems using lynx 2.8

PROBLEM

    Michal Zalewski  found following  remote buffer  overflow in  lynx
    built-in  mailer,  which  can  be  exploited  when victim tries to
    follow hyperlink.  Lynx  makes blind assumption on  e-mail address
    length, and sprintfs  it into 512-bytes  long buffer.   To ensure,
    view this html:

       <a href="mailto:AAAAAAAAA[...about 3 kB...]AAAA">MAIL ME!</a>

    (you should use over  2 kB of 'A's,  because there are also  other
    small buffers on  lynx's stack at  the time). Why  it's dangerous?
    Because even if you hit Ctrl+C or Ctrl+G to exit mailer, lynx will
    execute given code trying to back from sendform(...) function:

        Comment request cancelled!!!
        Program received signal SIGSEGV, Segmentation fault.
        0x41414141 in ?? ()

        [...]

        Lynx now exiting with signal:  11
        IOT trap/Abort

    In above case, lynx caused SEGV trying to execute 0x41414141  ('A'
    has code 0x41). But of course it's exploitable in traditional way.
    Efrain  Torres  added  following  note.   Not  only lynx have this
    buffer overflow in a send e-mail MAILTO. It has segmentation fault
    in the options menu when u enter:

        A big E)ditor name,
        D)ISPLAY variable,
        B)ookmark file,
        P)ersonal mail address.

    This  can  not  be  exploited  remotly  but  can be use to execute
    arbitrary commands in a menu restricted enviroment.

SOLUTION

    Replace sprintf with snprintf.