CVE-2022-37290 - Crashing GNOME Nautilus with a Malicious ZIP Archive

If you’re using Linux with the GNOME desktop, you've probably used Nautilus—the default file manager—for everyday file operations. However, a vulnerability labeled CVE-2022-37290 discovered in 2022 can let a specially crafted ZIP file crash Nautilus completely. In this post, we’ll break down the bug, show the technical details, and explain how an attacker could trigger it—all in simple terms.

What’s CVE-2022-37290 All About?

CVE-2022-37290 affects GNOME Nautilus version 42.2. The vulnerability allows a NULL pointer dereference and subsequent application crash when Nautilus tries to handle a malicious ZIP archive pasted into a folder.

In layman’s terms: if you copy and paste a specially corrupt ZIP file into your file manager, Nautilus will try to "read" something that doesn’t exist, causing it to crash.

The Impact

- Denial of Service (DoS): While not a remote code execution or a way for attackers to take over your system, this flaw is disruptive because it can repeatedly crash Nautilus, interfering with your workflow.
- Crash, Not Hack: This is an application crash, not a system compromise. But stability is important!

The Problem Function: get_basename

Nautilus uses the function get_basename to figure out filenames in archives. When you paste a ZIP file that’s been crafted in a certain way, this function tries to process a NULL value—data that’s not really there! This triggers a segmentation fault and Nautilus crashes.

Why does this happen?
ZIP archives sometimes have paths that lack a base name component (like / or empty strings), causing the code to try to access memory through a NULL pointer.

Here’s a mockup of what might be happening under the hood

// Simplified logic inspired by Nautilus
char* get_basename(const char* path) {
    // Find the last slash
    char* slash_ptr = strrchr(path, '/');
    if (!slash_ptr)
        return NULL; // No slash, nothing returned
    return strdup(slash_ptr + 1);
}

void handle_file(const char* file_path) {
    char* base = get_basename(file_path);
    // Problem: If 'base' is NULL, the next line crashes!
    printf("Base name is: %s\n", base);    
    free(base);
}

If get_basename returns NULL and the program tries to print it with %s, it causes a crash.

Step-by-Step Exploit: How to Crash Nautilus

1. Create a Malformed ZIP Archive: Make a ZIP file with an entry missing a base name or using special path patterns.

Copy the Archive: In GNOME Nautilus, use “Copy” on the ZIP file.

3. Paste the File in a Folder: Nautilus tries to process the file to show its icon, preview, or metadata—then BOOM, it crashes!

Use Python to create a zip with just an empty directory

import zipfile

with zipfile.ZipFile('crash.zip', 'w') as zf:
    # Add an empty directory
    zf.writestr('some-dir/', '')  # Directory entry, no file

This ZIP has an entry some-dir/ which might lack a basename when Nautilus reads it.

Note: The exact structure may vary. The key is making the path ambiguous.

Nautilus v42.2

- Some earlier/later GNOME releases, if unpatched

Modern versions are patched! Make sure your system is up to date.

References & More Info

- CVE-2022-37290 at Mitre
- Red Hat Bugzilla #2111463
- Debian Security Tracker

Report bugs: If you see unexplained crashes, report them to your distro.

In summary:
CVE-2022-37290 is a reminder that even file managers can crash from strange files. While this bug isn’t catastrophic, it’s a good example of how small coding mistakes can disrupt daily use. Always update your system and stay cautious!

*Have something to add or questions about this vulnerability? Leave a comment!*

Timeline

Published on: 11/14/2022 08:15:00 UTC
Last modified on: 03/01/2023 15:35:00 UTC