6954840 2001-08-22 05:55 -0700 /111 rader/ Michael Paoli <michael1cat@yahoo.com> Sänt av: joel@lysator.liu.se Importerad: 2001-08-22 16:46 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern kopiemottagare: michael1cat@yahoo.com Mottagare: Bugtraq (import) <18898> Ärende: Adobe Acrobat creates world writable ~/AdobeFnt.lst files ------------------------------------------------------------ From: Michael Paoli <michael1cat@yahoo.com> To: bugtraq@securityfocus.com Cc: michael1cat@yahoo.com Message-ID: <3B83ABD1.E1C10330@yahoo.com> Adobe Acrobat creates world writable ~/AdobeFnt.lst files This problem is present in at least the Linux version: ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz Even with umask as restrictive as 077, the Adobe binary explicitly creates and changes the AdobeFnt.lst file in the HOME directory to be world (and group) writable. Work-arounds are possible, such as by using wrapper script(s). Note that direct patching of the Adobe binary would apparently conflict with the Adobe license. Vendor notified: on or before 2001-03-02 references/excerpts: ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz http://www.google.com/search?q=AdobeFnt.lst+security&btnG=Google+Search http://bugs.debian.org/acroread ftp://ftp.debian.org/debian/pool/non-free/a/acroread/acroread_4.05-4.diff.gz http://www.wiretrip.net/rfp/policy.html example work-around wrappers (use at your own risk, standard disclaimers apply ...): ######################################################################## if [ ! -e $HOME/AdobeFnt.lst ]; then # AcroRead will happily create a world writable AdobeFnt.lst ... trap "rm -f $HOME/AdobeFnt.lst" 0 ln -s /dev/null $HOME/AdobeFnt.lst fi ######################################################################## #wrapper stuff to work around world writable ~/AdobeFnt.lst issues #directory we'll use, relative to HOME, to work around the problem kludgedir=.AdobeFnt.security_kludge_dir #check HOME isn't null [ X"$HOME" != X ] || { 1>&2 echo "$0: HOME is unset or null - aborting" exit 1 } #if pathname for our kludge directory exists if >>/dev/null 2>&1 ls -d "$HOME/$kludgedir" then #check that it's properly secured 2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || { #not properly secured, complain and exit 1>&2 echo "$0: found $HOME/$kludgedir but expecting directory with no group or world write or execute permissions - aborting" exit 1 } else #"$HOME/$kludgedir" doesn't exist, make it (umask 077 && mkdir -p "$HOME/$kludgedir") #we should have properly secure "$HOME/$kludgedir" at this point, verify 2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep '^d....--.--' || { 1>&2 echo "$0: unable to create properly secured $HOME/$kludgedir - aborting" exit 1 } fi #does "$HOME"/AdobeFnt.lst exist in any form? if >>/dev/null 2>&1 ls -d "$HOME"/AdobeFnt.lst then #"$HOME"/AdobeFnt.lst may already be set up properly - check if [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" != X"$kludgedir"/AdobeFnt.lst ] then #it's not what we were hoping for ... is it ordinary file? if [ ! -L "$HOME"/AdobeFnt.lst -a -f "$HOME"/AdobeFnt.lst ] then rm -f "$HOME"/AdobeFnt.lst #is it gone? [ ! -f "$HOME"/AdobeFnt.lst ] || { 1>&2 echo "$0: failed to remove $HOME/AdobeFnt.lst file - aboring" exit 1 } ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst #test that "$HOME"/AdobeFnt.lst has been set up properly [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || { 1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting" exit 1 } else 1>&2 echo "$0: $HOME/AdobeFnt.lst isn't set up as we need it, please remove it - aborting" exit 1 fi fi else ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst #test that "$HOME"/AdobeFnt.lst has been set up properly [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* -> \(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || { 1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst - aborting" exit 1 } fi #we're done with the kludgedir shell variable unset kludgedir ######################################################################## _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com (6954840) /Michael Paoli <michael1cat@yahoo.com>/(Ombruten) 6955581 2001-08-22 10:35 -0700 /75 rader/ Darren Moffat <Darren.Moffat@eng.sun.com> Sänt av: joel@lysator.liu.se Importerad: 2001-08-22 19:47 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern mottagare: michael1cat@yahoo.com Externa svar till: Darren.Moffat@eng.sun.com Mottagare: Bugtraq (import) <18902> Ärende: Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files ------------------------------------------------------------ From: Darren Moffat <Darren.Moffat@eng.sun.com> To: bugtraq@securityfocus.com, michael1cat@yahoo.com Message-ID: <200108221735.f7MHZmH253088@jurassic.eng.sun.com> >Adobe Acrobat creates world writable ~/AdobeFnt.lst files > >This problem is present in at least the Linux version: >ftp://ftp.adobe.com/pub/adobe/acrobatreader/unix/4.x/linux-ar-405.tar.gz > >Even with umask as restrictive as 077, the Adobe binary explicitly >creates and changes the AdobeFnt.lst file in the HOME directory to be >world (and group) writable. What anoys me almost as much as ignoring the umask is that this file is placed directly into $HOME and isn't a "." file. >Vendor notified: on or before 2001-03-02 I notified Adobe of this on October 27th 1999 and never got any reply, see attached. Another possible workaround would be to create a shared object that replaced the open/chmod calls that change the permissions on the file, this could then be LD_PRELOAD'd so that acroread doesn't do the wrong thing. Using truss on Solaris we can easily see that acroread actually makes an explicit call to set the permissions to 0666. 251032: open("/home/darrenm/AdobeFnt.lst", O_WRONLY|O_CREAT|O_TRUNC, 01) = 6 251032: fchmod(6, 0666) -- Darren J Moffat ------------- Begin Included Message ------------- From darrenm Wed Oct 27 10:08:37 1999 Date: Wed, 27 Oct 1999 10:08:37 +0100 (BST) From: Darren Moffat - Solaris Sustaining Engineering <darrenm@otis.uk> Subject: Acrobat Reader 4.0 for Solaris To: security@adobe.com X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.4_33 SunOS 5.8 sun4u sparc Mime-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: vU9ym6j5UvaH9PQ8ueMX+A== Content-Length: 654 Status: O X-Status: $$$$ X-UID: 0000000176 When starting the Acrobat Reader 4.0 for the first time a new file called AdobeFnt.lst is created in the users home directory. This file is created with world writeable permissions (666). Given that this file contains font mappings, this is a security hole as it would allow someone else to replace your font definitions thus making the documents appear different to what the author intended. While you are fixing this security hole, may I suggest that you put the file in a less obtrusive place. Dumping non "." files in a users home directory is considered very bad form in UNIX. Thanks -- Darren J Moffat Solaris Software Sustaining Engineering ------------- End Included Message ------------- (6955581) /Darren Moffat <Darren.Moffat@eng.sun.com>/(Ombruten) 6955974 2001-08-22 20:54 +0200 /22 rader/ <wim@djo.wtm.tudelft.nl> Sänt av: joel@lysator.liu.se Importerad: 2001-08-22 21:19 av Brevbäraren Extern mottagare: Darren.Moffat@eng.sun.com Extern kopiemottagare: Wim Osterholt <wim@djo.wtm.tudelft.nl> Extern kopiemottagare: bugtraq@securityfocus.com Externa svar till: wim@djo.wtm.tudelft.nl Mottagare: Bugtraq (import) <18906> Ärende: Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files ------------------------------------------------------------ From: wim@djo.wtm.tudelft.nl To: Darren.Moffat@eng.sun.com Cc: wim@djo.wtm.tudelft.nl (Wim Osterholt), bugtraq@securityfocus.com Message-ID: <20010822185446.6738.qmail@djo.wtm.tudelft.nl> > >Adobe Acrobat creates world writable ~/AdobeFnt.lst files ... > Another possible workaround would be to create a shared object that > replaced the open/chmod calls that change the permissions on the file, > this could then be LD_PRELOAD'd so that acroread doesn't do the wrong thing. > > Using truss on Solaris we can easily see that acroread actually makes > an explicit call to set the permissions to 0666. And what if that call fails? chattr +i will do miracles, I imagine. Regards, Wim. (6955974) / <wim@djo.wtm.tudelft.nl>/--------------- 6956719 2001-08-22 13:34 -0700 /97 rader/ Darren Moffat <Darren.Moffat@eng.sun.com> Sänt av: joel@lysator.liu.se Importerad: 2001-08-23 00:00 av Brevbäraren Extern mottagare: wim@djo.wtm.tudelft.nl Extern kopiemottagare: bugtraq@securityfocus.com Externa svar till: Darren.Moffat@eng.sun.com Mottagare: Bugtraq (import) <18907> Ärende: Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files ------------------------------------------------------------ From: Darren Moffat <Darren.Moffat@eng.sun.com> To: wim@djo.wtm.tudelft.nl Cc: bugtraq@securityfocus.com Message-ID: <200108222034.f7MKYxH305924@jurassic.eng.sun.com> >> >Adobe Acrobat creates world writable ~/AdobeFnt.lst files >... >> Another possible workaround would be to create a shared object that >> replaced the open/chmod calls that change the permissions on the file, >> this could then be LD_PRELOAD'd so that acroread doesn't do the wrong thing. >> >> Using truss on Solaris we can easily see that acroread actually makes >> an explicit call to set the permissions to 0666. > >And what if that call fails? What call ? Note this code doesn't compile and is intended only as an outline of what could be done. dlsym is how this is done on Solaris but there are equivalent calls in most systems that have dynamic linking. include <sys/types.h> #include <dlfcn.h> #include <stdio.h> #include <stdlib.h> static int fd = -1; int open(const char *path, int oflag, ...) { static int (*fptr)(const char *path, int oflag, ...) = 0; if (fptr == 0) { fptr = dlsym(RTLD_NEXT, "open"); if (fptr == NULL) { (void) printf("dlopen: %s\n", dlerror()); return NULL; } } if (strcmp(path, fntlst) == 0) fd = ((*fptr)(path, oflag)); return (fd); else { return ((*fptr)(path, oflag)); } } int fchmod(int fildes, mode_t mode) { static int (*fptr)(int fildes, mode_t mode) = 0; if (fptr == 0) { fptr = dlsym(RTLD_NEXT, "fchmod"); if (fptr == NULL) { (void) printf("dlopen: %s\n", dlerror()); return NULL; } } if ((fd != -1) && (fildes == fd)) { mode = 0600; } return ((*fptr)(fildes, mode)); } int close(int fildes) { static int (*fptr)(int fildes, mode_t mode) = 0; if (fptr == 0) { fptr = dlsym(RTLD_NEXT, "fchmod"); if (fptr == NULL) { (void) printf("dlopen: %s\n", dlerror()); return NULL; } if (fd == fildes) { fd = -1; } return ((*fptr(fildes)); } >chattr +i will do miracles, I imagine. The world is not Linux on ext2fs. Also that may break something else, you don't really want AdobeFnt.lst being an imutable file, you just want correct permissions on it. -- Darren J Moffat (6956719) /Darren Moffat <Darren.Moffat@eng.sun.com>/(Ombruten) Kommentar i text 6956980 av Scott Howard <scott@doc.net.au> 6956980 2001-08-23 08:34 +1000 /27 rader/ Scott Howard <scott@doc.net.au> Sänt av: joel@lysator.liu.se Importerad: 2001-08-23 01:00 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18910> Kommentar till text 6956719 av Darren Moffat <Darren.Moffat@eng.sun.com> Ärende: Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files ------------------------------------------------------------ From: Scott Howard <scott@doc.net.au> To: bugtraq@securityfocus.com Message-ID: <20010823083436.A26116@milliways.doc.net.au> > >> >Adobe Acrobat creates world writable ~/AdobeFnt.lst files > Another possible workaround would be to create a shared object that > replaced the open/chmod calls that change the permissions on the file, > this could then be LD_PRELOAD'd so that acroread doesn't do the wrong thing. How about : mkdir ~/.adobe chmod 600 ~/.adobe mv ~AdobeFnt.lst ~/.adobe/ ln -s ~/.adobe/AdobeFnt.lst ~ As the chmod will follow the symlink, it will change the permissions of the file, not the link. This means that the file itself still ends up as mode 0666, but as the directory it's in is mode 0600, then nobody will be able to access it other than the owner. Adding the above (with some checking that it hasn't already been done, etc) to a script which start Acrobat would handle the problem for all users. Scott. (6956980) /Scott Howard <scott@doc.net.au>/(Ombruten) 6963304 2001-08-23 13:07 -0700 /49 rader/ Darren Moffat <Darren.Moffat@eng.sun.com> Sänt av: joel@lysator.liu.se Importerad: 2001-08-23 22:42 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: Darren.Moffat@eng.sun.com Mottagare: Bugtraq (import) <18930> Ärende: Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files ------------------------------------------------------------ From: Darren Moffat <Darren.Moffat@eng.sun.com> To: bugtraq@securityfocus.com Message-ID: <200108232008.f7NK8PH602485@jurassic.eng.sun.com> The AdobeFnt.lst file is actually comes from libCoolType.so.1 so there is potential that other Adobe software that uses libCoolType.so.1 would also be vulnerable to this bug. I don't know if there is other stuff that uses libCoolType or not, but looking at the symbol table it appears that it is a font library of sorts [I also noticed that it was compiled with gcc ;-)]. It appears that the permissions are only set insecurely if the file didn't already exist, so a very simple wrapper around AdobeFnt.lst that created the file with good permissions first would probably suffice. Using truss on Solaris I discovered that the creation of the AdobeFnt.lst file in the users home directory is the only time that fchmod(fd, 0666) was called so my previous LD_PRELOAD fix that circumvents Adobe's poor security can be simplfied to just this (which I have compiled and tested): #include <limits.h> #include <sys/types.h> #include <dlfcn.h> #include <stdio.h> #include <stdlib.h> int fchmod(int fildes, mode_t mode) { static int (*fptr)(int fildes, mode_t mode) = 0; if (fptr == 0) { fptr = (int (*)(int, mode_t))dlsym(RTLD_NEXT, "fchmod"); if (fptr == NULL) { (void) printf("dlopen: %s\n", dlerror()); return NULL; } } mode = 0600; return ((fptr)(fildes, mode)); } -- Darren J Moffat (6963304) /Darren Moffat <Darren.Moffat@eng.sun.com>/(Ombruten)