BugTraq
Advisory: Sun's jre/jdk 1.4.2 multiple vulernabilities in linuxinstallers Oct 31 2003 07:05AM
Stan Bubrouski (stan ccs neu edu)
Author: Stan Bubrouski
Date: October 31, 2003
Package(s): j2re/j2sdk
OS: Linux (possibly others, see below)
Versions: 1.4.2 - 1.4.2_02
Severity: Local users may overwrite any file owned by the user who
installs java due to insecure file handling while unpacking/installing
java.

Problem: There are two sources of insecure file-creation while
installing java on linux: the unpack program that is used to unpack[1]
the install files and the RPM scripts[2].

I'll start off by describing [1]. Regardless of whether you downloaded
the Linux .bin or rpm.bin installer, when you run the .bin and accept
the license or install the rpm, sun invokes it's own unpack program.
The program is stored in /usr/java/j2re<version>/lib/unpack while java
is being installed, and it is erased after the install.

Every time unpack is invoked it insecurely creates the file
/tmp/unpack.log

So a simple symlink and you can overwrite any file owned by the person
installing java. This is most often root if installing the RPM.

The second problem [2] lies in the scripts for postinstall which
insecurely create the files /tmp/.mailcap1 and /tmp/.mime.types1, same
possibilities as with [1].

To give you an idea of just how ugly the scripts are, a grep:

[null@fedora null]# rpm -q --scripts j2re | grep /tmp
tfile=/tmp/getjrelist$$.tmp
grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
cp -p /tmp/.mailcap1 $MAILCAP_FILE
rm /tmp/.mailcap1
tfile=/tmp/getjrelist$$.tmp
grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web Start" >
/tmp/.mailcap1
cp -p /tmp/.mailcap1 $MAILCAP_FILE
rm /tmp/.mailcap1
grep -v ${MIME_TYPE} < $MIME_FILE > /tmp/.mime.types1
cp -p /tmp/.mime.types1 $MIME_FILE
rm /tmp/.mime.types1
grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
cp -p /tmp/.mailcap1 $MAILCAP_FILE
rm /tmp/.mailcap1

Needless to say check /tmp before installing these rpms and binaries. I
have not tested packages for other platforms like Solaris, but if they
make use of the same unpack program they would be vulnerable too.

Solution: Be cautious when installing these packages, check /tmp

Regards,

Stan Bubrouski

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus