Bugtraq mailing list archives
Another day, another race - lynx 2.7.1
From: lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)
Date: Tue, 17 Mar 1998 15:39:58 +0100
Hello, I (?) found /tmp race in lynx 2.7.1. Another stupid program, which uses global /tmp directory instead of environment variable TMPDIR... When lynx downloads something, happily uses /tmp/L{seq number}{pid}TMP.{contents extension}. When downloading is done, it creates new file, /tmp/L{last number+1}{pid}TMP.html file, which contains html with options like 'Save to disk' and will be displayed. Of course it's created unsafely, and may be easily exploited to overwrite files or pass your own data to lynx... Eg. you may change default 'Save to disk' href to: <a href="LYNXDOWNLOAD://Method=-1/File=/tmp/my_own_file/SugFile=blah"> Lynx's /tmp file creation procedure is so poor that it isn't the only vunerability. Source code details/fix: In LYUtils.c, they written their own function to make tmp filename, called tempname. How it works: sprintf(namebuffer,"%sL%d%uTMP.html",lynx_temp_space,getpid(),counter++); Fools, fools, fools!!! This is NOT a single-task, single-user environment. Rewrite this function or remove it; use mkstemp instead. _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
Current thread:
- Ascend Kill II - C version Aleph One (Mar 16)
- Ascend Filter Setup Mark Schaefer (Mar 16)
- Bash: Security problem during compilation time. Alexandre Stervinou (Mar 16)
- Another day, another race - lynx 2.7.1 Michal Zalewski (Mar 17)
- Ascend Kill II - perl version Kit Knox (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Thomas Roessler (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Theo de Raadt (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Daniel Reed (Mar 17)
- Re: LinCity Buffer Overflow John Goerzen (Mar 17)
- Very, very ugly remote lynx 2.7.1 hole Michal Zalewski (Mar 17)
- Re: Very, very ugly remote lynx 2.7.1 hole Lumpy Lynx (Mar 17)