CVE-2023-39107 - NoMachine Arbitrary File Overwrite

Using hardlinks to overwrite root owned files



Posted by NSEcho on 2023-07-21 19:09:42

Table of Contents

Introduction

NoMachine is a free remote desktop solution which features higher speeds than usual competitors. I have identified the possibility to overwrite root-owned files and after I have created PoC, I have contacted NoMachine team which was quick to address the vulnerability and to issue the new update.

The vulnerability was affecting NoMachine free edition and Enterprise Client for macOS and it is fixed in version v8.8.1.

Analysis

NoMachine application writes log files to the directory /Library/Application Support/NoMachine/var/log. Examining the permissions of this directory we can see that the directory is owned by the user nx and that rwx is set for everyone.

Permissions of directory

The directory contains a couple of .log files. Because we are granted rwx we can simply create a hardlink which points to the root-owned file and once the application writes something to the log file, that root-owned file would get overwritten.

Content of the directory

Exploitation

To exploit the vulnerability, we need to simply create the hardlink. As a root user, we will create /Library/secret file and make nxserver.log as a hardlink to that file.

Exploitation