[1][USEMAP:frame_r1_c1.gif] [frame_r1_c3.gif] [2]Japanese SNS Advisory [title2_r1_c1.gif] [3][GoIndex.gif] [4][GoBack.gif] 32 [5][GoNext.gif] [6]Japanese Edition SNS Advisory No.32 w3m malformed MIME header Buffer Overflow Vulnerability Problem first discovered: 25 May 2001 Published: 21 Jun 2001 Last Updated:21 Jun 2001 _________________________________________________________________ Overview: w3m, a text file/Web browser which is similar to lynx, has a buffer overflow vulnerability in a routine to parse MIME header. If a user retrieves/downloads a malformed Web page with w3m, a malicious Web server administrator may gain an escalated privilege from the w3m user, which is run by w3m remotely. Problem Description: w3m handles MIME header included in the request/response massage within the HTTP session like other web browsers. A buffer overflow will be occur when w3m accepts MIME encoded header with a base 64 format. The length of the encoded header must be over 34 characters. The following are a memory dump and contents of register when a buffer overflow occurs. MIME header: =?AAAAAAAAAAAAAA(50 'A' characters in the header)AAAAAAAA?= memory dump: 0xbffff8a0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff8b0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff8c0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff8d0: 0xbf0a4141 0x080e0000 0x00000001 0x080792c3 register: ESP: 0xbffff8d0 EIP: 0x41414141 If a remote Web administrator (a remote attacker) could embed codes in the 0x41 part and control the EIP, it is possible to execute arbitrary codes with the privilege of w3m user. Tested Version: w3m 0.2.1 Tested OS: RedHat 7.0J Solaris 7 (x86) Patch Information: A patch to fix this issue is announced from a developer's mailing list of w3m. A patch to fix this issue[Archive number 2066]: [7]http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2066.ht ml A recommendation to clean up #2066: [8]http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2067.ht ml Discovered by: OGASAWARA Satoshi (LAC / [9]s.ogaswr@lac.co.jp) KOBAYASHI Shigehiro (LAC / [10]sigehiro@lac.co.jp) Disclaimer: All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. _________________________________________________________________ Copyright(c) 1995-2002 Little eArth Corporation References 1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/32_e.html#r1_c1Map 2. http://www.lac.co.jp/security/index.html 3. http://www.lac.co.jp/security/english/snsadv_e/index.html 4. http://www.lac.co.jp/security/english/snsadv_e/31_e.html 5. http://www.lac.co.jp/security/english/snsadv_e/33_e.html 6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/32.html 7. http://mi.med.tohoku.ac.jp/%7Esatodai/w3m-dev/200106.month/2066.html 8. http://mi.med.tohoku.ac.jp/%7Esatodai/w3m-dev/200106.month/2067.html 9. mailto:%20s.ogaswr@lac.co.jp 10. mailto:%20sigehiro@lac.co.jp