CVE 2010-1160 Exploiting nano

CVE-2010-1160 Nano Changed File Symlink Privilege Escalation Usualy if I have to edit some file I am using nano editor. It is almost on every distribution and easy and fast to use.

Some time ago i hated vim beacouse of Ctrl-D =] and that way used nano or pico. Now I know how to exit from vim :q!. After this bug reported in CVE I was excited to check it out in real life. It is first bug that i have fully tested. This bug is fixed in newest versions. Testing all nano version this bug works on < 2.1.7 versions now on my system is latest nano version and I have compiled many < 2.1.7 versions to test this bug.

To get your nano version run:

$ nano -V

When user is editing file nano don't check if it is edited by some one else. When saving file it simply save it and dont check if it was modified. If file was changed by some one else then nano will overwrite it with his text. But it can be changed to symlink that points to other file. How to use it in real life:

1) Open file with nano
2) Change file or set symlink
3) Make changes in file and save file in nano
4) See result in symlinked file

Everything looks like

$nano text.txt
``

Now some one do:

$ls -s empty.txt text.txt


Nano save what you save in text.txt

In  python it looks like:

```python
os.remove( "text.txt" )
open( "empty.txt" , "w" ).close()
os.symlink( "empty.txt" , "text.txt"

If you are root and opening file with owner isnt you. Than owner while you editing his file can setsymlink to some "/etc/important.conf" and you will overwrite it with some other unrelated info. This can make some harm to your system.

How can it be exploited in real life by "small unprivileged user". Make some interesting file that root will interested in. Make some process that watch nanos running in system. If nano opened file is our , symlink it.

1)Detect running nano in system
2)Check with file is opened
3)If file is yours make symlink

Script is only for user and dont work if you try to symlink root opened nano. It makes all steps as described above. Change script variables for your tests:

debug = True
nano = "nano-2.0.9"
user = "user"
sym_path="/home/user/empty.txt"

Tested only with python 2.6.5

Simply be updated or if you using old nano dont open with privileged user unprivileged user files. It will save you from this bug.

Links

http://osvdb.org/show/osvdb/63872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1160
http://drosenbe.blogspot.com/2010/03/nano-as-root.html
http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&root=nano&view=markup

Downloads

nano_bug.tar.gz - 1KiB - http://archive.main.lv/files/writeup/cve_2010-1160_exploiting_nano/nano_bug.tar.gz nano_bug_catch.tar.gz - 2KiB - http://archive.main.lv/files/writeup/cve_2010-1160_exploiting_nano/nano_bug_catch.tar.gz