Re: lynx 2.8.x - 'special URLs' anti-spoofing protection is weak

[lcamtuf () DIONE IDS PL (Michal Zalewski)]

Another detail on LYNXOPTIONS:// and bypassing evil configuration options
to victim's browser - attack scheme could be even easier and can be done
remotely. First of all, ask user to check his/her configuration, as stated
in previous post (let's call this webpage A.html). Then, supply link to
another webpage, containing evil form with configuration (B.html, see
previous post for details). Value of "secure" field can be guessed easily
- it's increased every second (huh, that's the way clock works ;).
Victim's system time can be precisely estimated with help of it's MTA
subsystem, so you can synchronize your clock with a little bit of
shrewdness. Wait for GET request on A.html from victim, assume eg. +4
seconds to read and understand text (and to press "O", this time is my
blind assumption, probably some real-life test are helpful... but IMHO
this time will be constant for maybe 95% requests, if webpage is designed
properly and user won't need too much time to understand what user should
do). Now, time difference (in seconds) between your and their system clock
+ time(0) return value at the time of GET request + your estimation (4
secs mentioned above) is "secure" value. Rebuild B.html by inserting
proper "secure" field. Form fields should be hidden, some bogus text with
big, good-looking 'submit' button will help.

Now, the most interesting thing - by putting funny 'preffered charset',
'preffered language' and 'user agent' fields into form (I've tried with
> 64kB of 'A's, but probably it could be much smaller), you'll cause
beautifully exploitable stack overflow while viewing next webpage after
pressing Big Button on B.html. After submitting configuration, last
webpage is automatically reloaded, that's enough. No need to modify
'editor' or anything else and wait.

Program received signal SIGSEGV, Segmentation fault.
0x4009ab97 in strcpy ()
(gdb) info stack
#0  0x4009ab97 in strcpy ()
#1  0x80b802b in _start ()
#2  0x41414141 in ?? ()
Cannot access memory at address 0x41414141.

Yes, it's much more social (reverse ;) engineering than hacking, all of
these processes have to be automated and still you don't have 100%
certainty, but those hacks where user reactions have critical meaning are
the most interesting :)

_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]