w3m Text-based Web Browser May Execute Arbitrary Code
|
Date: Jun 21 2001
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
|
Advisory: Secure Net Service (LAC)
|
Version(s): w3m 0.2.1
|
Description: Secure Net Service reported a vulnerability in the w3m text-based web browser that allows a remote web site to cause arbitrary code to be executed by the web browser.
The vulnerability is reportedly due to a buffer overflow in the processing of MIME headers. If a remote web site returns a malformed
MIME header containing executable instructions to the w3m user, the malformed header could cause the code to be executed by the
w3m browser with the privileges of the w3m user.
The vulnerability can reportedly be triggered by a MIME encoded header in base
64 format with more than 34 characters, such as the following header:
MIME header:
=?AAAAAAAAAAAAAA(50 'A' characters in the header)AAAAAAAA?=
A
listing of the resulting memory dump and register contents is provided in the Source Message.
|
Impact: A remote web site could return a malformed MIME header containing code that will be executed by the w3m browser with the privileges of the w3m user.
|
Solution: A patch to fix this vulnerability has reportedly been announced via a w3m developer's mailing list:
A patch to fix this issue[Archive
number 2066]:
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2066.html
A recommendation to clean up #2066:
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2067.html
|
Vendor URL: ei5nazha.yz.yamagata-u.ac.jp/~aito/w3m/eng/index.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)
|
Underlying OS Comments: tested on RedHat 7.0J and Solaris 7 (x86)
|
Reported By: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 21 Jun 2001 14:34:36 +0900
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
Subject: [SNS Advisory No.32] w3m malformed MIME header Buffer Overflow Vulnerability
|
-----------------------------------------------------------------------
SNS Advisory No.32
w3m malformed MIME header Buffer Overflow Vulnerability
Problem first discovered: Thu, 25 May 2001
Published: Wed, 19 Jun 2001
Last Updated: Wed, 19 Jun 2001
----------------------------------------------------------------------
Overview
--------
w3m, a text file/Web browser which is similar to lynx, has
a buffer overflow vulnerability in a routine to parse MIME header.
If a user retrieves/downloads a malformed Web page with w3m,
a malicious Web server administrator may gain an escalated
privilege from the w3m user, which is run by w3m remotely.
Problem Description
-------------------
w3m handles MIME header included in the request/response
massage within the HTTP session like other web browsers.
A buffer overflow will be occuerred when w3m accept MIME encoded
header with a base 64 format. The length of encoded header must
be over 34 characters.
The following are a memory dump and contents of register
when a buffer overflow is occurred.
MIME header:
=?AAAAAAAAAAAAAA(50 'A' characters in the header)AAAAAAAA?=
memory dump:
0xbffff8a0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8b0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8c0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8d0: 0xbf0a4141 0x080e0000 0x00000001 0x080792c3
register:
ESP: 0xbffff8d0
EIP: 0x41414141
If a remote Web administrator (a remote attacker) could embed
codes in the 0x41 part and control the EIP, it is possible to execute
arbitrary codes in the privilege of w3m user.
Tested Version
--------------
w3m 0.2.1
Tested OS
---------
RedHat 7.0J
Solaris 7 (x86)
Patch Information
-----------------
A patch to fix this issue is announced from a developer's
mailing list of w3m.
A patch to fix this issue[Archive number 2066]:
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2066.html
A recommendation to clean up #2066:
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev/200106.month/2067.html
Discovered by
-------------
OGASAWARA Satoshi (LAC / s.ogaswr@lac.co.jp)
KOBAYASHI Shigehiro (LAC / sigehiro@lac.co.jp)
Disclaimer
----------
All information in this advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
References
----------
w3m official page(English):
http://ei5nazha.yz.yamagata-u.ac.jp/~aito/w3m/eng/index.html
w3m official page(Japanese):
http://ei5nazha.yz.yamagata-u.ac.jp/~aito/w3m/index.html
Archive of this advisory:
http://www.lac.co.jp/security/english/snsadv_e/32_e.html
SNS Advisory:
http://www.lac.co.jp/security/english/snsadv_e/
LAC:
http://www.lac.co.jp/security/english/
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
|
|
