blob: 9124aabcf04d2b96409890169a86ea2fe003b744 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
title:CVE 2010-1160 Exploiting nano
keywords:cve,nano,exploit
# CVE 2010-1160 Exploiting nano
CVE-2010-1160 Nano Changed File Symlink Privilege Escalation
Usualy if I have to edit some file I am using nano editor. It is almost
on every distribution and easy and fast to use.
Some time ago i hated vim beacouse of Ctrl-D =] and that way used nano or pico.
Now I know how to exit from vim :q!. After this bug reported in CVE I was
excited to check it out in real life. It is first bug that i have fully
tested. This bug is fixed in newest versions. Testing all nano version
this bug works on < 2.1.7 versions now on my system is latest nano
version and I have compiled many < 2.1.7 versions to test this bug.
To get your nano version run:
```sh
$ nano -V
```
When user is editing file nano don't check if it is edited by some one
else. When saving file it simply save it and dont check if it was
modified. If file was changed by some one else then nano will overwrite
it with his text. But it can be changed to symlink that points to other file.
How to use it in real life:
1) Open file with nano
2) Change file or set symlink
3) Make changes in file and save file in nano
4) See result in symlinked file
Everything looks like
```sh
$nano text.txt
``
Now some one do:
```sh
$ls -s empty.txt text.txt
```
Nano save what you save in text.txt
In python it looks like:
```python
os.remove( "text.txt" )
open( "empty.txt" , "w" ).close()
os.symlink( "empty.txt" , "text.txt"
```
If you are root and opening file with owner isnt you.
Than owner while you editing his file can setsymlink to some
"/etc/important.conf" and you will overwrite it with some other
unrelated info. This can make some harm to your system.
How can it be exploited in real life by "small unprivileged user".
Make some interesting file that root will interested in. Make some
process that watch nanos running in system.
If nano opened file is our , symlink it.
1)Detect running nano in system
2)Check with file is opened
3)If file is yours make symlink
Script is only for user and dont work if you try to symlink root
opened nano. It makes all steps as described above. Change script
variables for your tests:
```text
debug = True
nano = "nano-2.0.9"
user = "user"
sym_path="/home/user/empty.txt"
```
Tested only with python 2.6.5
Simply be updated or if you using old nano dont open with
privileged user unprivileged user files. It will save you from this bug.
## Links
http://osvdb.org/show/osvdb/63872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1160
http://drosenbe.blogspot.com/2010/03/nano-as-root.html
http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&root=nano&view=markup
## Downloads
nano_bug.tar.gz -
1KiB - http://archive.main.lv/files/writeup/cve_2010-1160_exploiting_nano/nano_bug.tar.gz
nano_bug_catch.tar.gz -
2KiB - http://archive.main.lv/files/writeup/cve_2010-1160_exploiting_nano/nano_bug_catch.tar.gz
|