Ubuntu
lynx-cur package

Heap overflow when parsing malformed URLs

Bug #613254 reported by Dan Rosenberg
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lynx-cur (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: lynx-cur

Lynx is vulnerable to a heap overflow when parsing malformed URLs. When Lynx attempts to URL decode hostnames using the convert_to_idna() function in WWW/Library/Implementation/HTParse.c, it mallocs() a destination buffer based on the size of the hostname. However, if a malicious website were to provide a link containing a hostname that included a % character in the last two characters, the parsing code will increment past the null byte of the hostname and continue to copy attacker-controlled contents into the too-small heap buffer. Since this is a heap overflow with attacker-controlled contents and length, with very few character restrictions, this may lead to arbitrary code execution (and winning pwn2own if it were held in 1993).

The attached reproducer causes a crash on my 32-bit Lucid system. It's not entirely reliable due to the fact that stack layout determines whether enough characters are overflowed to trigger glibc's heap checking. I've also attached a fix for the issue, which I've tested and confirmed it resolves the vulnerability.

Tags: patch

CVE References

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :
Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :
Revision history for this message
Kees Cook (kees) wrote :

It seems to be a clear problem, but I'm unable to reproduce the crash.

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

Maybe this one will work better.

Dan Rosenberg (dan-j-rosenberg)
visibility: private → public
Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

jduck rightly noticed that my previous fix would break certain functionality (like %0a in URLs), since '0' ASCII also returns 0 from hex_decode(). This new patch is better, and is thanks to him.

Revision history for this message
Henri Salo (henri-nerv) wrote :

Please use CVE-2010-2810 for this issue.

Brian Murray (brian-murray)
tags: added: patch
Jamie Strandboge (jdstrand)
Changed in lynx-cur (Ubuntu):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in 2.8.8dev.7-1.

Changed in lynx-cur (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.