diff options
Diffstat (limited to 'md/writeup/cve_2010_1160_exploiting_nano.md')
| -rw-r--r-- | md/writeup/cve_2010_1160_exploiting_nano.md | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/md/writeup/cve_2010_1160_exploiting_nano.md b/md/writeup/cve_2010_1160_exploiting_nano.md new file mode 100644 index 0000000..fa27c0b --- /dev/null +++ b/md/writeup/cve_2010_1160_exploiting_nano.md @@ -0,0 +1,97 @@ +title:CVE 2010-1160 Exploiting nano +keywords:cve,nano,exploit + +# CVE 2010-1160 Exploiting nano + +CVE-2010-1160 Nano Changed File Symlink Privilege Escalation +Usualy if I have to edit some file I am using nano editor. It is almost +on every distribution and easy and fast to use. + +Some time ago i hated vim beacouse of Ctrl-D =] and that way used nano or pico. +Now I know how to exit from vim :q!. After this bug reported in CVE I was +excited to check it out in real life. It is first bug that i have fully +tested. This bug is fixed in newest versions. Testing all nano version +this bug works on < 2.1.7 versions now on my system is latest nano +version and I have compiled many < 2.1.7 versions to test this bug. + +To get your nano version run: +``` +$ nano -V +``` + +When user is editing file nano don't check if it is edited by some one +else. When saving file it simply save it and dont check if it was +modified. If file was changed by some one else then nano will overwrite +it with his text. But it can be changed to symlink that points to other file. +How to use it in real life: + +1) Open file with nano +2) Change file or set symlink +3) Make changes in file and save file in nano +4) See result in symlinked file + +Everything looks like +``` +$nano text.txt +`` + +Now some one do: + +``` +$ls -s empty.txt text.txt +``` + +Nano save what you save in text.txt + +In python it looks like: + +```python +os.remove( "text.txt" ) +open( "empty.txt" , "w" ).close() +os.symlink( "empty.txt" , "text.txt" +``` + + +If you are root and opening file with owner isnt you. +Than owner while you editing his file can setsymlink to some +"/etc/important.conf" and you will overwrite it with some other +unrelated info. This can make some harm to your system. + +How can it be exploited in real life by "small unprivileged user". +Make some interesting file that root will interested in. Make some +process that watch nanos running in system. +If nano opened file is our , symlink it. + +1)Detect running nano in system +2)Check with file is opened +3)If file is yours make symlink + +Script is only for user and dont work if you try to symlink root +opened nano. It makes all steps as described above. Change script +variables for your tests: + +``` +debug = True +nano = "nano-2.0.9" +user = "user" +sym_path="/home/user/empty.txt" +``` + +Tested only with python 2.6.5 + +Simply be updated or if you using old nano dont open with +privileged user unprivileged user files. It will save you from this bug. + + + +## Links +http://osvdb.org/show/osvdb/63872 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1160 +http://drosenbe.blogspot.com/2010/03/nano-as-root.html +http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&root=nano&view=markup + +## Downloads +nano_bug.tar.gz - +1KiB - http://archive.main.lv/files/writeup/cve_2010-1160_exploiting_nano/nano_bug.tar.gz +nano_bug_catch.tar.gz - +2KiB - http://archive.main.lv/files/writeup/cve_2010-1160_exploiting_nano/nano_bug_catch.tar.gz
\ No newline at end of file |