Advisory: Sun's jre/jdk 1.4.2 multiple vulernabilities in linux installers

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Advisory: Sun's jre/jdk 1.4.2 multiple vulernabilities in linux installers
From: Stan Bubrouski <stan@xxxxxxxxxxx>
Date: Fri, 31 Oct 2003 02:05:12 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Author: Stan Bubrouski
Date: October 31, 2003
Package(s): j2re/j2sdk
OS: Linux (possibly others, see below)
Versions: 1.4.2 - 1.4.2_02
Severity: Local users may overwrite any file owned by the user who
installs java due to insecure file handling while unpacking/installing
java.

Problem:  There are two sources of insecure file-creation while
installing java on linux: the unpack program that is used to unpack[1]
the install files and the RPM scripts[2].

I'll start off by describing [1].  Regardless of whether you downloaded
the Linux .bin or rpm.bin installer, when you run the .bin and accept
the license or install the rpm, sun invokes it's own unpack program. 
The program is stored in /usr/java/j2re<version>/lib/unpack while java
is being installed, and it is erased after the install.

Every time unpack is invoked it insecurely creates the file
/tmp/unpack.log

So a simple symlink and you can overwrite any file owned by the person
installing java.  This is most often root if installing the RPM.

The second problem [2] lies in the scripts for postinstall which
insecurely create the files /tmp/.mailcap1 and /tmp/.mime.types1, same
possibilities as with [1].

To give you an idea of just how ugly the scripts are, a grep:

[null@fedora null]# rpm -q --scripts j2re | grep /tmp
   tfile=/tmp/getjrelist$$.tmp
          grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
          cp -p /tmp/.mailcap1 $MAILCAP_FILE
          rm /tmp/.mailcap1
   tfile=/tmp/getjrelist$$.tmp
    grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web Start" >
/tmp/.mailcap1
    cp -p /tmp/.mailcap1 $MAILCAP_FILE
    rm /tmp/.mailcap1
    grep -v ${MIME_TYPE} < $MIME_FILE > /tmp/.mime.types1
    cp -p /tmp/.mime.types1 $MIME_FILE
    rm /tmp/.mime.types1
          grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
          cp -p /tmp/.mailcap1 $MAILCAP_FILE
          rm /tmp/.mailcap1

Needless to say check /tmp before installing these rpms and binaries.  I
have not tested packages for other platforms like Solaris, but if they
make use of the same unpack program they would be vulnerable too.

Solution: Be cautious when installing these packages, check /tmp

Regards,

Stan Bubrouski

Attachment: signature.asc
Description: This is a digitally signed message part

Prev by Date: GLSA: apache (200310-04)
Next by Date: RE: Internet Explorer and Opera local zone restriction bypass
Previous by thread: GLSA: apache (200310-04)
Next by thread: Corsaire Security Advisory: BEA WebLogic example InteractiveQuery.jsp XSS issue
Index(es):
- Date
- Thread