I would just like to point out that both of the mentioned bugs are
already known and/or eliminated.
Michal Zalewski wrote:
> I (?) found /tmp race in lynx 2.7.1. Another stupid program, which
> uses ...
Nope, that bug has been known for quite a while now. Check the CERT
advisory on it:
CERT* Vendor-Initiated Bulletin VB-97.05
July 15, 1997
Topic: Vulnerability in Lynx Temporary Files
Source: Jim Spath
It was also posted on Bugtraq, but we can't expect Aleph1 to memorize
each and every single occurrance of a bug, so who could blame him for
letting that one slip through.
> While poking around lynx protocol handling routines, I found this
> very big, ugly remote hole:
>
> <a href=
> "LYNXDOWNLOAD://Method=-1/File=`touch%20UGLY_BUG`/SugFile=test">
> CLICK HERE
> </a>
You must be using a not-so-recent version of Lynx, because that
bug was eliminated in Lynx version 2.7.1ac-0.35, released on June 26,
1997.
Here is the actual log entry from the CHANGES file for patch level 35:
1997-06-26
* Tweak of the "tag and attribute soup" parsing mods in HTML.c so that
the PLAIN attribute works for UL blocks again. - FM
* More tweaks of LYMainLoop.c to issue informative statusline messages
about attempts to ACTIVATE, DOWNLOAD, or submit URLs or ACTIONs
which are disallowed in the current context and destined to fail,
rather than acting on them and generating actual failures. - FM
* Mods of LYmktime() in LYUtils.c to support dd-mm-yyyy format for
expires headers and cookie attributes. - FM
* Oops, hadn't included checks for whether there are links on the page
in this morning's LYMainLoop.c mods to ensure appropriate statusline
messages for attempts to bookmark special URLs that can't be
bookmarked, which could yield a crash it there aren't any. The
checks are in there now. - FM
* Added ability to bookmark links from the Lynx List Page, as from the
Visited Links Page, but not for those pages, themselves, since they
are temporary files. Note that Lynx List Page links will not have
the documents' titles, as do those in the Visited Links Page, unless
you've visited them before invoking the Lynx List Page. - FM
* Added explicit protections against buffer overruns in the
LYDownload.c handling of suggested filenames. - FM
In Lynx version 2.7.1ac-0.35 and later, the following message is
displayed when you try to follow a potentially malicious link like
the one you mentioned:
Alert!: This special URL is not allowed in external documents!
so I guess you had better start looking for another bug to exploit.
Another day, another pair of already known and/or eliminated bugs. :-)
You have shown that you are very enthusiastic and persistant in
your quest to find race conditions and other bugs, but you should
spend some more time researching before you post your findings, IMHO.
Regards,
Dr. BSD
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com