main.lv
Dont think code it

2010-4-24 CVE 2010-1160 Exploiting nano

CVE-2010-1160 Nano Changed File Symlink Privilege Escalation
Usualy if I have to edit some file I am using nano editor. It is almost
on every distribution and easy and fast to use.

Some time ago i hated vim beacouse of Ctrl-D =] and that way used nano or pico.
Now I know how to exit from vim :q!. After this bug reported in CVE I was
excited to check it out in real life. It is first bug that i have fully
tested. This bug is fixed in newest versions. Testing all nano version
this bug works on < 2.1.7 versions now on my system is latest nano
version and I have compiled many < 2.1.7 versions to test this bug.

To get your nano version run:
$ nano -V

When user is editing file nano don't check if it is edited by some one
else. When saving file it simply save it and dont check if it was
modified. If file was changed by some one else then nano will overwrite
it with his text. But it can be changed to symlink that points to other file.
How to use it in real life:

1) Open file with nano
2) Change file or set symlink
3) Make changes in file and save file in nano
4) See result in symlinked file

Everytning looks like
$nano text.txt

Now some one do:

$ls -s empty.txt text.txt

Nano save what you save in text.txt

In  python it looks like:

os.remove( "text.txt" )
open( "empty.txt" , "w" ).close()
os.symlink( "empty.txt" , "text.txt"



If you are root and opening file with owner isnt you.
Than owner while you editing his file can setsymlink to some
"/etc/important.conf" and you will overwrite it with some other
unrelated info. This can make some harm to your system.

How can it be exploited in real life by "small unpreviliged user".
Make some interesting file that root will interested in. Make some
process that whachs nanos running in system.
If nano opened file is our , symlink it.

1)Detect running nano in system
2)Check with file is opened
3)If file is yours make symlink

Script is only for user and dont work if you try to symlink root
opened nano. It makesall steps as described above. Change script
variables for your tests:

debug = True
nano = "nano-2.0.9"
user = "user"
sym_path="/home/user/empty.txt"


Tested only with python 2.6.5

Simply be uptodated or if you using old nano dont open with
privileged user unpriveleged user files. It will save you from this bug.



Links


Downloads

nano_bug.tar.gz1KiB nano_bug_catch.tar.gz2KiB