lynx-dev FWD: www.infilsec.com - Bugs: lynx tempfile predictable

[Leonid Pauzner]

Subject: Infilsec - Bugs: lynx tempfile predictable
X-URL: http://www.infilsec.com/cgi-infilsec/if?action=generate&key=00059

Why not avoiding symlinks at /tmp/ or this was fixed long ago?
Quoted:


   Infilsec

   lynx tempfile predictable

   Record Created: Wed Dec 30 16:25:49 1998

   Last Modified: Wed Dec 30 16:25:49 1998

   Component:
all versions of Lynx (tested on 2.7.1, Linux)

   Impact:
Local users can gain other user accounts

   Author:
fflush

   Description:
The same problem present in Elm 2.4 PL24 and earlier is present in all
versions of Lynx (tested on 2.7.1, Linux). When a lynx user D)ownloads a
file, a temporary file with a predictable name is created to store the file
until it is completely downloaded. The file is /tmp/L*0TMP.html (the
extension is .html regardless of actual file type). * is the PID of Lynx,
and 0 is the download number (the second download would have number 1, and
so on). Lynx doesn't check for previous existence of this file, and *will*
write to symlinks. Any local user can create a symbolic link (or hard link,
for that matter) with this predictable name to one of the Lynx user's files,
and when this user D)ownloads something, his file will be overwritten by
whatever he was downloading. If the attacker has some sort of idea as to the
content of the download (before the fact, obviously) he can write arbitrary
data to the victim's ~/.rhosts or other crucial file.

Since there is usually a substantial time space between downloads (in an
average Lynx session), an attacker has enough time to investigate, and set
up his/her attack.

   Fix by:
Why don't people like using mktemp() or tmpfile() ?

                            Modify Vulnerability