Bug 2278574 (CVE-2024-5742) - CVE-2024-5742 nano: running `chmod` and `chown` on the filename allows malicious user to replace the emergency file with a malicious symlink to a root-owned file
Summary: CVE-2024-5742 nano: running `chmod` and `chown` on the filename allows malici...
Keywords:
Status: NEW
Alias: CVE-2024-5742
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2290866 2290867
Blocks: 2278576
TreeView+ depends on / blocked
 
Reported: 2024-05-02 06:13 UTC by TEJ RATHI
Modified: 2024-06-10 14:10 UTC (History)
3 users (show)

Fixed In Version: nano 8.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description TEJ RATHI 2024-05-02 06:13:29 UTC
When nano is killed while it has a modified buffer, it saves this buffer to an emergency .save file and then chmods and chowns this file to the permissions and owner of the original file. This means that when nano is run as root and edits a user-owned file in a directory that is writable by that user, it gives a malicious user a window of opportunity to replace the .save file with a malicious symlink to a root-owned file. To be exploitable, it requires that the malicious user is able to kill the nano run by root. The original reporters of the problem said this:

We think it will mostly have an impact on multi-user systems. Where an admin might open a user's file -- for example to fix a broken config file. This could be in a user directory, requiring the admin to either become the user, or become root. If an admin does the latter, this attack can be performed - as long as the user can kill nano of course. One such example might be when root is logged in over `ssh` to a low-privilege user machine and the user can turn off the wifi on that machine.

https://bugzilla.redhat.com/show_bug.cgi?id=2277586
https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2

Comment 3 Pedro Sampaio 2024-06-07 12:25:49 UTC
Created nano tracking bugs for this issue:

Affects: fedora-39 [bug 2290866]
Affects: fedora-40 [bug 2290867]


Note You need to log in before you can comment on or make changes to this bug.