[Full-Disclosure] Java Virtual Machine Symlink Vulnerability

From: meme-boi (meme-boi_at_nothotmail.org)
Date: 06/07/03

  • Next message: Axel Dunkel: "[Full-Disclosure] Buffer Overflows in Novell iChain Authentication"
    To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
    Date: Sat, 7 Jun 2003 13:15:59 -0700 (PDT)
    
    

    SynopsisTitle: Java Virtual Machine Symlink Vulnerability
    Platforms: Linux Distributions with j2re1.4.1_02
    Discovered: Today
    Local: Yes.
    Remote: No.

    1. Overview

    Java Virtual Machine stores temporary log files within the /tmp directory
    with a prefix of jpsock.**_* etc in an insecure manner.

    2. Background

    The Java virtual machine is the cornerstone of the Java and Java 2
    platforms. It is the component of the technology responsible for its
    hardware- and operating system- independence, the small size of its
    compiled code, and its ability to protect users from malicious programs.
    3. Issue

    Java Virtual Machin creates the file "/tmp/jpsock.**_*" on startup. The
    existance and owner of the file is not checked prior to writing startup
    information to the file.

    4. Impact

    Local users may create a symlink from an arbitrary file to /tmp/jpsock.**_*.
    When JVM is executed, the file pointed to by the symlink will be overwritten.

    This can and will be used to gain elevated privileges via symlink attack

    5. Recommendation

    You shouldn't be using it anyways. See my prior post

    6. Vendor Notification

    None - this is full disclosure

    Summer of the Sickness is drawing near.......

    Copyright 2003, Paper Street Soap Company, Inc.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Axel Dunkel: "[Full-Disclosure] Buffer Overflows in Novell iChain Authentication"