View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0002875 | NetSurf | [All Projects] General | public | 2024-05-28 13:24 | 2024-05-28 13:54 | ||||||||
Reporter | Felix Albrigtsen | ||||||||||||
Assigned To | |||||||||||||
Severity | crash | Reproducibility | always | ||||||||||
Status | new | Resolution | open | ||||||||||
Platform | GTK | OS | Linux | OS Version | Debian 13 Trixie | ||||||||
Product Version | 3.11 | ||||||||||||
Target Version | Fixed in Version | ||||||||||||
Summary | 0002875: Stack buffer overflow in idna_encode | ||||||||||||
Description | This buffer overflow can be reached when NetSurf is handling "href" and "src" attributes in many different HTML elements, or when passing a URL on the command line. In idna_encode, fqdn is created as a character buffer holding 256 bytes. When called through nsurl_create and nsurl__create_from_section, the second argument, len, contains the correct value, but there is no limitations or checks on how long the host string can be. This means that when strncpy is used to copy the provided host string to the fqdn buffer, it can be overflowed if the host string is longer than 256 bytes. This causes a crash at minimum, and on builds without a stack canary it can be used to control the instruction pointer. The HTML file shown below uses an offset of 312 bytes, followed by three f’s to set the last three bytes of the instruction pointer to \x66\x66\x66. URL encoded bytes can also be used to change the instruction pointer to both lower and upper case ASCII. The number 3 is arbitrarily chosen to show a possible "relative jump" in a relocatable binary, but you can overwrite the entire instruction pointer or other things on the stack as well. The offset 312 works for me on a 64-bit linux system with GCC, but might differ on other platforms. | ||||||||||||
Steps To Reproduce | - Build/Install NetSurf 3.11, for example from the Debian 13 repositories (`# apt install netsurf-gtk`) - Open a page with a long URL as described aboce (For example, with the file ./bof.html, run `$ netsurf-gtk file://$(pwd)/bof.html`) Example HTML file showing the problem: <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfff </body> </html> | ||||||||||||
Additional Information | Tested with NetSurf 3.11 on Debian(testing) and NixOS (unstable). I have not tested any other platforms. | ||||||||||||
Tags | No tags attached. | ||||||||||||
Fixed in CI build # | |||||||||||||
Reported in CI build # | |||||||||||||
URL of problem page | |||||||||||||
Attached Files |
|
Notes | |
Felix Albrigtsen (reporter) 2024-05-28 13:54 |
I made a mistake, and the body of the example HTML got rendered in the report view. It is supposed to be an "a" tag, like `< a href="http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaafff" > link name < / a >` without the spaces. |
Issue History | |||
Date Modified | Username | Field | Change |
---|---|---|---|
2024-05-28 13:24 | Felix Albrigtsen | New Issue | |
2024-05-28 13:54 | Felix Albrigtsen | Note Added: 0002462 |