8628093 2002-06-20 10:25 +0300 /83 rader/ Jarno Huuskonen <Jarno.Huuskonen+bugtraq@uku.fi>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-20 18:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22754>
Ärende: Acrobat reader 4.05 temporary files
------------------------------------------------------------
From: Jarno Huuskonen <Jarno.Huuskonen+bugtraq@uku.fi>
To: bugtraq@securityfocus.com
Message-ID: <20020620102516.A91920@messi.uku.fi>
------------------------------------------------------------
Insecure temporary files in Acrobat Reader 4.05
Jarno.Huuskonen@iki.fi
$Date: 2002/06/20 07:21:29 $
------------------------------------------------------------
Author:
Jarno Huuskonen <Jarno.Huuskonen@iki.fi>
Discovered:
Wed 18 Jul 2001
Vendor status:
Adobe (security@adobe.com) contacted on Thu 19 Jul 2001. Adobe said
that they'll look into this. Acrobat Reader 5.05 appears to correct the
problem.
Platforms:
Acrobat Reader 4.05 (linux-ar-405.tar.gz). I tested this only on Linux,
but I believe that all 'Unix' versions are affected.
Severity:
Low: possible local file overwrite (symlink attack). (For more
information about race conditions see[1][2][3]).
Abstract:
Acrobat Reader (acroread) creates temporary files in /tmp (or in
directory pointed by TMP environment variable) insecurely when opening
or printing a pdf document.
Details:
Out of curiosity I straced acroread to see if it uses temporary files.
From the strace output I noticed that acroread does open temporary
files in /tmp (or in $TMP if you have it set) without using O_EXCL, so
acroread will follow symbolic links when creating the temporary
file. Here is an example from an strace output that shows the problem:
stat("/tmp/Acro48IBR1", 0xbfffe958) = -1 ENOENT (No such file or
directory)
open("/tmp/Acro48IBR1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 5
...
...
unlink("/tmp/Acro48IBR1") = 0
These temporary files are created at least when opening a document
and printing a document (Print To: Printer Command). (I assume the
acrobat reader netscape plugin has the same problem. I didn't check
this though).
Workaround:
Set TMP environment variable to a secure directory (e.g. ~/tmp) before
using acrobat reader (and possibly before launching netscape if you use
the acrobat plugin). One possible way to achieve this would be to
replace the acroread shell script with a script that sets TMP and then
execs the original acroread (or directly modify the acroread script if
the license permits this).
Solution:
Acrobat Reader 5.05 appears to correct this problem. Download the
updated version from http://www.adobe.com.
References:
1.
David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html
2.
Kris Kennaway's post to Bugtraq about temporary files.
http://lwn.net/2000/1221/a/sec-tmp.php3
3.
Creating Secure Software:
http://www.eforceglobal.com/pdf/whitepapers/SecureSoftware-01-10-01-FINAL.pdf
--
Jarno Huuskonen <Jarno.Huuskonen atsign iki.fi>
(8628093) /Jarno Huuskonen <Jarno.Huuskonen+bugtraq@uku.fi>/(Ombruten)