lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1067583912.18552.158.camel@wvanl14.resnet.neu.edu>
Date: Fri, 31 Oct 2003 02:05:12 -0500
From: Stan Bubrouski <stan@....neu.edu>
To: bugtraq@...urityfocus.com
Subject: Advisory: Sun's jre/jdk 1.4.2 multiple vulernabilities in linux
	installers

Author: Stan Bubrouski
Date: October 31, 2003
Package(s): j2re/j2sdk
OS: Linux (possibly others, see below)
Versions: 1.4.2 - 1.4.2_02
Severity: Local users may overwrite any file owned by the user who
installs java due to insecure file handling while unpacking/installing
java.

Problem:  There are two sources of insecure file-creation while
installing java on linux: the unpack program that is used to unpack[1]
the install files and the RPM scripts[2].

I'll start off by describing [1].  Regardless of whether you downloaded
the Linux .bin or rpm.bin installer, when you run the .bin and accept
the license or install the rpm, sun invokes it's own unpack program. 
The program is stored in /usr/java/j2re<version>/lib/unpack while java
is being installed, and it is erased after the install.

Every time unpack is invoked it insecurely creates the file
/tmp/unpack.log

So a simple symlink and you can overwrite any file owned by the person
installing java.  This is most often root if installing the RPM.

The second problem [2] lies in the scripts for postinstall which
insecurely create the files /tmp/.mailcap1 and /tmp/.mime.types1, same
possibilities as with [1].

To give you an idea of just how ugly the scripts are, a grep:

[null@...ora null]# rpm -q --scripts j2re | grep /tmp
   tfile=/tmp/getjrelist$$.tmp
          grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
          cp -p /tmp/.mailcap1 $MAILCAP_FILE
          rm /tmp/.mailcap1
   tfile=/tmp/getjrelist$$.tmp
    grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web Start" >
/tmp/.mailcap1
    cp -p /tmp/.mailcap1 $MAILCAP_FILE
    rm /tmp/.mailcap1
    grep -v ${MIME_TYPE} < $MIME_FILE > /tmp/.mime.types1
    cp -p /tmp/.mime.types1 $MIME_FILE
    rm /tmp/.mime.types1
          grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
          cp -p /tmp/.mailcap1 $MAILCAP_FILE
          rm /tmp/.mailcap1

Needless to say check /tmp before installing these rpms and binaries.  I
have not tested packages for other platforms like Solaris, but if they
make use of the same unpack program they would be vulnerable too.

Solution: Be cautious when installing these packages, check /tmp

Regards,

Stan Bubrouski

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ