10912359 2003-10-31 02:05 -0500 /65 rader/ Stan Bubrouski <stan@ccs.neu.edu>
Importerad: 2003-10-31 18:32 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <29705>
Ärende: Advisory: Sun's jre/jdk 1.4.2 multiple vulernabilities in linux installers
------------------------------------------------------------
From: Stan Bubrouski <stan@ccs.neu.edu>
To: bugtraq@securityfocus.com
Message-ID: <1067583912.18552.158.camel@wvanl14.resnet.neu.edu>
Author: Stan Bubrouski
Date: October 31, 2003
Package(s): j2re/j2sdk
OS: Linux (possibly others, see below)
Versions: 1.4.2 - 1.4.2_02
Severity: Local users may overwrite any file owned by the user who
installs java due to insecure file handling while unpacking/installing
java.
Problem: There are two sources of insecure file-creation while
installing java on linux: the unpack program that is used to unpack[1]
the install files and the RPM scripts[2].
I'll start off by describing [1]. Regardless of whether you
downloaded the Linux .bin or rpm.bin installer, when you run the .bin
and accept the license or install the rpm, sun invokes it's own
unpack program. The program is stored in
/usr/java/j2re<version>/lib/unpack while java is being installed, and
it is erased after the install.
Every time unpack is invoked it insecurely creates the file
/tmp/unpack.log
So a simple symlink and you can overwrite any file owned by the person
installing java. This is most often root if installing the RPM.
The second problem [2] lies in the scripts for postinstall which
insecurely create the files /tmp/.mailcap1 and /tmp/.mime.types1, same
possibilities as with [1].
To give you an idea of just how ugly the scripts are, a grep:
[null@fedora null]# rpm -q --scripts j2re | grep /tmp
tfile=/tmp/getjrelist$$.tmp
grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
cp -p /tmp/.mailcap1 $MAILCAP_FILE
rm /tmp/.mailcap1
tfile=/tmp/getjrelist$$.tmp
grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web Start" >
/tmp/.mailcap1
cp -p /tmp/.mailcap1 $MAILCAP_FILE
rm /tmp/.mailcap1
grep -v ${MIME_TYPE} < $MIME_FILE > /tmp/.mime.types1
cp -p /tmp/.mime.types1 $MIME_FILE
rm /tmp/.mime.types1
grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
cp -p /tmp/.mailcap1 $MAILCAP_FILE
rm /tmp/.mailcap1
Needless to say check /tmp before installing these rpms and binaries.
I have not tested packages for other platforms like Solaris, but if
they make use of the same unpack program they would be vulnerable too.
Solution: Be cautious when installing these packages, check /tmp
Regards,
Stan Bubrouski
(10912359) /Stan Bubrouski <stan@ccs.neu.edu>/(Ombruten)
Bilaga (application/pgp-signature) i text 10912361
10912361 2003-10-31 02:05 -0500 /9 rader/ Stan Bubrouski <stan@ccs.neu.edu>
Bilagans filnamn: "signature.asc"
Importerad: 2003-10-31 18:32 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <29706>
Bilaga (application/pgp-signature) till text 10912359
Ärende: Bilaga (signature.asc) till: Advisory: Sun's jre/jdk 1.4.2 multiple vulernabilities in linux installers
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQA/ogmmQHy9+2ztQiARAhoSAJwODvb0FoULo7tqy7lZD9nM36KM/wCgoz+Q
iSCVQj7f6aKmz1lcGHemp3c=
=LCii
-----END PGP SIGNATURE-----
(10912361) /Stan Bubrouski <stan@ccs.neu.edu>/------