Hi!

There also was a followup that it's nearly impossible to exploit, so
I'll just forget about it again:

==begin forward (headers shortened)

From: emsi@IT.PL (Mariusz Woloszyn)
Subject: Re: lynx - someone is deaf and blind ;)
Date: 8 Mar 2000 08:55:33 +0100
Message-ID: <Pine.LNX.4.04.10003071857260.12554-100000@dzyngiel.ipartners.pl>
References: <Pine.BSF.4.21.0003042204260.59454-100000@hub.freebsd.org>

On Sat, 4 Mar 2000, Kris Kennaway wrote:

> > extremely long URLs. I'm not going to give more examples here, as I'm
> > afraid I might miss one or two that won't be fixed - developers, use your
> > head, take a look at the code and fix every suspected piece of code, not
> > only already published / described bugs.
> 
> I have just disabled the lynx port/package in FreeBSD. We won't be
> shipping it in FreeBSD 4.0, or until this gets addressed. It's a shame
> because it's such a popular and useful tool, but the risk to users is just
> too great.
> 
> Thanks for notifying the world of these problems :)
> 
I was trying to exploit lynx bug several times.
It's true that lynx segfaults on long URLs, but exploiting it is (IMHO)
impossible because lynx strips all nonprintable characters thus smugling
RET address is impossible. I have never heard about ASCII only shellcode
also :)
I assume lynx bugs are unexploitable...

P.S. You can compile lynx using StackGuard also (AFAIK only under Linux).

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners, GTS Poland

==end forward

Bye,
 Thomas

-- 
Thomas Klausner - wiz@danbala.tuwien.ac.at
WWW-homepage: http://fbma.tuwien.ac.at/~e9325658/Welcome.html
Programming is like sex:
  One mistake and you have to support for a lifetime.