[UNIX] Adobe Acrobat Creates World Writable ~/AdobeFnt.lst Files
From: support@securiteam.comDate: 08/24/01
- Previous message: support@securiteam.com: "[TOOL] AirSnort, Wireless LAN Encryption Cracker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Adobe Acrobat Creates World Writable ~/AdobeFnt.lst Files Message-Id: <20010824091717.B6728138BF@mail.der-keiler.de> Date: Fri, 24 Aug 2001 11:17:17 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Adobe Acrobat Creates World Writable ~/AdobeFnt.lst Files
------------------------------------------------------------------------
SUMMARY
A security vulnerability in Adobe Acrobat causes it to create world
writeable files in the HOME directory of the user executing the Adobe
Acrobat. This world writeable file can be modified by anyone having local
user access.
DETAILS
Vulnerable systems:
Adobe Acrobat version 4.05 (Linux)
Adobe Acrobat creates world writable ~/AdobeFnt.lst files, even with umask
as restrictive as 077, the Adobe binary explicitly creates and changes the
AdobeFnt.lst file in the HOME directory to be world (and group) writable.
Workaround:
Use a wrapper script to make sure that files have the correct settings.
Example workaround wrapper:
####################################################################
if [ ! -e $HOME/AdobeFnt.lst ]; then
# AcroRead will happily create a world writable AdobeFnt.lst ...
trap "rm -f $HOME/AdobeFnt.lst" 0
ln -s /dev/null $HOME/AdobeFnt.lst
fi
####################################################################
#wrapper stuff to work around world writable ~/AdobeFnt.lst issues
#directory we'll use, relative to HOME, to work around the problem
kludgedir=.AdobeFnt.security_kludge_dir
#check HOME isn't null
[ X"$HOME" != X ] || {
1>&2 echo "$0: HOME is unset or null - aborting"
exit 1
}
#if pathname for our kludge directory exists
if >>/dev/null 2>&1 ls -d "$HOME/$kludgedir"
then
#check that it's properly secured
2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep
'^d....--.--' || {
#not properly secured, complain and exit
1>&2 echo "$0: found $HOME/$kludgedir but expecting directory with no
group or world write or execute permissions - aborting"
exit 1
}
else
#"$HOME/$kludgedir" doesn't exist, make it
(umask 077 && mkdir -p "$HOME/$kludgedir")
#we should have properly secure "$HOME/$kludgedir" at this point, verify
2>>/dev/null ls -lLd "$HOME/$kludgedir" | >>/dev/null 2>&1 grep
'^d....--.--' || {
1>&2 echo "$0: unable to create properly secured $HOME/$kludgedir -
aborting"
exit 1
}
fi
#does "$HOME"/AdobeFnt.lst exist in any form?
if >>/dev/null 2>&1 ls -d "$HOME"/AdobeFnt.lst
then
#"$HOME"/AdobeFnt.lst may already be set up properly - check
if [ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* ->
\(.*\)/\1/p'`" != X"$kludgedir"/AdobeFnt.lst ]
then
#it's not what we were hoping for ... is it ordinary file?
if [ ! -L "$HOME"/AdobeFnt.lst -a -f "$HOME"/AdobeFnt.lst ]
then
rm -f "$HOME"/AdobeFnt.lst
#is it gone?
[ ! -f "$HOME"/AdobeFnt.lst ] || {
1>&2 echo "$0: failed to remove $HOME/AdobeFnt.lst file - aboring"
exit 1
}
ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst
#test that "$HOME"/AdobeFnt.lst has been set up properly
[ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* ->
\(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || {
1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst -
aborting"
exit 1
}
else
1>&2 echo "$0: $HOME/AdobeFnt.lst isn't set up as we need it, please
remove it - aborting"
exit 1
fi
fi
else
ln -s "$kludgedir"/AdobeFnt.lst "$HOME"/AdobeFnt.lst
#test that "$HOME"/AdobeFnt.lst has been set up properly
[ X"`2>>/dev/null ls -ld "$HOME"/AdobeFnt.lst | sed -ne 's/^l.* ->
\(.*\)/\1/p'`" = X"$kludgedir"/AdobeFnt.lst ] || {
1>&2 echo "$0: failed to create proper secure $HOME/AdobeFnt.lst -
aborting"
exit 1
}
fi
#we're done with the kludgedir shell variable
unset kludgedir
####################################################################
ADDITIONAL INFORMATION
The information has been provided by <mailto:michael1cat@yahoo.com>
Michael Paoli.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] AirSnort, Wireless LAN Encryption Cracker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
