SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Nautilus (GNOME) Vendors:   Gnome Development Team
(Red Hat Issues Fix) Re: Nautilus GNOME Shell and File Manager Symlink Hole May Let Local Users Cause Other Users' to Overwrite Files on the System
SecurityTracker Alert ID:  1004213
SecurityTracker URL:  http://securitytracker.com/id/1004213
CVE Reference:   CVE-2002-0157   (Links to External Site)
Date:  May 2 2002
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.4
Description:   A temporary file symbolic link (symlink) vulnerability was reported in Nautilus, the GNOME shell and file manager. A local user could cause another user to overwrite files on the system. In some cases, this could allow a local user to obtain root privileges on the system.

Rapid 7 reports that when a local user copies files from one directory to another directory, Nautilus will create a small (88+ bytes) XML file named '.nautilus-metafile.xml' in the target directory. The software apparently does not check to see if a symlink with the same name already exists before writing to it.

A local user could create a symlink from a critical file to the appropriate Nautilus XML file name in a certain directory. Then, the local user could convince another user on the system to copy a file to the certain directory. When the other user performs this copy function using Nautilus, Nautilus will write to the XML file, causing the linked file to be overwritten with the privileges of the other user.

Impact:   A local user can cause files to be overwritten by other users when the other users invoke Nautilus to perform certain copying functions. If the "other user" is a root-level user, then the local user could obtain root level access on the system.
Solution:   Red Hat has issued a fix. Obtain the appropriate package listed below.

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm

The verification checksums are:

MD5 sum Package Name
--------------------------------------------------------------------------
df668f91e33ecf794aa10eee7e236f80 7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm
f91c1cb8fb30034c8ea8aefa184c5589 7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
af4c6accb8c0e4ec60921e0938ad925d 7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
84ffe4f70577e6d235086a8a7cd86a4d 7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm
be8f595a061435b13675d9c799377f33 7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
6528cdff10addff8d09e8f0d8e13a49e 7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm

Vendor URL:  nautilus.eazel.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Red Hat Linux)
Underlying OS Comments:  7.2

Message History:   This archive entry is a follow-up to the message listed below.
May 2 2002 Nautilus GNOME Shell and File Manager Symlink Hole May Let Local Users Cause Other Users' to Overwrite Files on the System



 Source Message Contents

Subject:  [RHSA-2002:064-12] Updated Nautilus for symlink vulnerability writing metadata files


---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated Nautilus for symlink vulnerability writing metadata files
Advisory ID:       RHSA-2002:064-12
Issue date:        2002-04-16
Updated on:        2002-04-30
Product:           Red Hat Linux
Keywords:          nautilus metadata symlink
Cross references:  
Obsoletes:         
---------------------------------------------------------------------

1. Topic:

The Nautilus file manager in Red Hat Linux 7.2 has a symlink vulnerability.

2. Relevant releases/architectures:

Red Hat Linux 7.2 - i386, ia64, s390

3. Problem description:

The Nautilus file manager (used by default in the GNOME desktop
environment) writes metadata files containing information about files and
directories that have been visited in the file manager.
The metadata file code in Red Hat Linux 7.2 can be tricked into chasing
a symlink and overwriting the symlink target.

The errata packages repair this problem in two ways. First they create
metadata files using mkstemp() and then renaming the files, instead of
creating the files in-place with a fixed filename. This patch in the errata
packages was backported from the latest upstream version of Nautilus on
cvs.gnome.org.

Second, Nautilus used to have a preference to store metadata only in the 
user's home directory, rather than in each directory being browsed. 
This errata removes the preference and hardcodes its value to always 
use the home directory. This disables the shared-metadata functionality,
so if two users browse the same directory they may see different icons, 
emblems, and so forth.

Nautilus has only been shipped in Red Hat Linux 7.2; earlier
versions do not contain Nautilus and thus are not vulnerable.

This problem should only be exploitable locally (filesystem access 
is needed to create a malicious symlink). If Nautilus is not run 
as root, the impact should be limited to overwriting files that
unprivileged users have access to. If Nautilus is run as root, 
a malicious symlink could overwrite system-critical files such 
as /etc/passwd with Nautilus metadata.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0157 to this issue. The BUGTRAQ ID for this 
issue is 4373.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):



6. RPMs required:

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm



7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
df668f91e33ecf794aa10eee7e236f80 7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm
f91c1cb8fb30034c8ea8aefa184c5589 7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
af4c6accb8c0e4ec60921e0938ad925d 7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
84ffe4f70577e6d235086a8a7cd86a4d 7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm
be8f595a061435b13675d9c799377f33 7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
6528cdff10addff8d09e8f0d8e13a49e 7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm
 

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0157


Copyright(c) 2000, 2001, 2002 Red Hat, Inc.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC