Bugtraq mailing list archives
A vulnerability in Lynx (all versions)
From: fflush () SUCKAH ML ORG (fflush)
Date: Mon, 5 May 1997 16:48:30 -0400
Hey all, The same problem present in Elm 2.4 PL24 and earlier is present in all versions of Lynx (tested on 2.7.1, Linux). When a lynx user D)ownloads a file, a temporary file with a predictable name is created to store the file until it is completely downloaded. The file is /tmp/L*0TMP.html (the extension is .html regardless of actual file type). * is the PID of Lynx, and 0 is the download number (the second download would have number 1, and so on). Lynx doesn't check for previous existence of this file, and *will* write to symlinks. Any local user can create a symbolic link (or hard link, for that matter) with this predictable name to one of the Lynx user's files, and when this user D)ownloads something, his file will be overwritten by whatever he was downloading. If the attacker has some sort of idea as to the content of the download (before the fact, obviously) he can write arbitrary data to the victim's ~/.rhosts or other crucial file. Since there is usually a substantial time space between downloads (in an average Lynx session), an attacker has enough time to investigate, and set up his/her attack. Fix: Why don't people like using mktemp() or tmpfile() ? fflush
Current thread:
- Re: Buffer Overflows: A Summary Bill Trost (May 01)
- Re: Buffer Overflows: A Summary Tommy Marcus McGuire (May 02)
- Re: Buffer Overflows: A Summary Gene Spafford (May 02)
- Windows NT 4.0 SAM hotfix Aleph One (May 02)
- Re: Buffer Overflows: A Summary Lamont Granquist (May 03)
- Solaris lpNet & temp files (exploit) Chris Sheldon (May 03)
- Re: Solaris lpNet & temp files (exploit) Casper Dik (May 07)
- A bug in Elm fflush (May 04)
- Re: A bug in Elm Larry Schwimmer (May 04)
- Hole in the KDE desktop Alan Cox (May 05)
- A vulnerability in Lynx (all versions) fflush (May 05)
- Re: A vulnerability in Lynx (all versions) Theo de Raadt (May 05)
- SGI Security Advisory 19970101-02-PX - csetup Program SGI Security Coordinator (May 05)
- Re: Buffer Overflows: A Summary Tommy Marcus McGuire (May 02)
- Re: Buffer Overflows: A Summary Thomas H. Ptacek (May 02)
- Comments on NT user list exploit webroot (May 05)
- Re: Buffer Overflows: A Summary Adam Shostack (May 05)
- Re: Buffer Overflows: A Summary Eilon Gishri (May 06)
- Administratrivia Aleph One (May 06)
- SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi SGI Security Coordinator (May 06)
- Re: SGI Security Advisory 19970501-01-A - Vulnerability in Kari E. Hurtta (May 06)