1) Open file with nano
2) Change file or set symlink
3) Make changes in file and save file in nano
4) See result in symlinked file
Everytning looks like$nano text.txtNow some one do:$ls -s empty.txt text.txtNano savewhach you save in text.txtIn python it looks like:
os.remove( "text.txt" ) open( "empty.txt" , "w" ).close() os.symlink( "empty.txt" , "text.txt"
Python step by step
If you are root and opening file with owner isnt you. Than owner while you editing his file can setsymlink to some "/etc/important.conf" and you will overwrite it with some other unrelated info. This can make some harm to your system.How can it be exploited in real life by "small unpreviliged user". Make some interesting file that root will interested in. Make some process that whachs nanos running in system.
If nano opened file is our , symlink it.
1)Detect running nano in system
2)Check with file is opened
3)If file is yours make symlink
Nano catch
Script is only for user and dont work if you try to symlink root opened nano. It makesall steps as described above. Change script variables for your tests:
debug = True nano = "nano-2.0.9" user = "user" sym_path="/home/user/empty.txt"
Tested only with python 2.6.5
Simply be uptodated or if you using old nano dont open with privileged user unpriveleged user files. It will save you from this bug.
Linkage:
[1] http://osvdb.org/show/osvdb/63872
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1160
[3] http://drosenbe.blogspot.com/2010/03/nano-as-root.html
[4] http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&root=nano&view=markup