www.main.lv

Don't think just code it

Menu

  • Projects
    • Robatik
    • ArpSni
  • Samples
    • FreeBSD Asm
    • Linux Asm
    • PyGame Tutorial
    • UNIX programming
    • PSP programming
    • AVR
    • Math
  • Contact

Tags

algo (1)asm (19)attractor (2)avr (2)blender (3)bug (1)c (25)coalision (2)debug (3)editor (1)elf (1)fractals (2)freebsd (3)game (3)generator (1)gimp (1)int80h (22)map (1)math (5)mit (1)nano (1)net (2)opengl (1)plugin (1)post (2)povray (1)psp (3)pygame (19)python (28)robatik (2)sdl (3)skype (2)sql (1)towers (2)tutorial (7)voronoi (1)wudu (1)

Archive

  • 2010 august (1)
  • 2010 july (2)
  • 2010 june (1)
  • 2010 april (2)
  • 2010 march (2)
  • 2010 february (2)
  • 2010 january (2)
  • 2009 december (3)
  • 2009 november (8)
  • 2009 october (3)
  • 2009 september (5)
  • 2009 august (1)
  • 2009 july (1)
  • 2009 june (1)
  • 2009 may (1)
  • 2009 april (3)
  • 2009 march (1)
  • 2009 february (2)
  • 2009 january (1)
  • 2008 october (2)
  • 2008 september (4)

2010-04-24 CVS 2010-1160 Exploiting nano

CVE-2010-1160 Nano Changed File Symlink Privilege Escalation

Usualy if I have to edit some file I am using nano editor.
It is almost on every distribution and easy and fast to use. Some time ago i hated vim
beacouse of Ctrl-D =] and that way used nano or pico. Now I know how to exit from vim :q!. After this bug
reported in  CVE i was exited to check it out in real life. It is first bug that i have fully tested.

This bug is fixed in newest versions. Testing all nano version this bug works
on < 2.1.7 versions now on my system is latest nano version and I have
compiled many < 2.1.7 versions to test this bug.

To get your nano version run:
$ nano -V

When user is editing file nano don't check if it is edited by some
one else. When saving file it simply save it and dont check if it was modified. If file was changed by some one else
then nano will overwrite it with his text. But it can be changed to symlink that points to other file. How to use it in real life:

1) Open file with nano
2) Change file or set symlink
3) Make changes in file and save file in nano
4) See result in symlinked file

Everytning looks like
$nano text.txt
Now some one do:
$ls -s empty.txt text.txt
Nano save
whach you save in text.txt

In  python it looks like:

os.remove( "text.txt" )
open( "empty.txt" , "w" ).close()
os.symlink( "empty.txt" , "text.txt"
Python step by step

If you are root and opening file with owner isnt you. Than owner while you
editing his file can set
symlink to some "/etc/important.conf" and you will overwrite it with some
other unrelated info. This can make some harm to your system.

How can it be exploited in real life by "small unpreviliged user". Make some interesting file
that root will interested in. Make some process that whachs nanos running in system. If nano opened file is our , symlink it.

1)Detect running nano in system
2)Check with file is opened
3)If file is yours make symlink

Nano catch

Script is only for user and dont work if you try to symlink root opened nano. It makes
all steps as described above. Change script variables for your tests:
debug = True
nano = "nano-2.0.9"
user = "user"
sym_path="/home/user/empty.txt"
Tested only with python 2.6.5


Simply be uptodated or if you using old nano dont open with privileged user unpriveleged user files.
It will save you from this bug.


Linkage:
[1] http://osvdb.org/show/osvdb/63872
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1160
[3] http://drosenbe.blogspot.com/2010/03/nano-as-root.html
[4] http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&root=nano&view=markup



© 2010