Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Nautilus |
Unknown
|
Wishlist
|
|||
sun-java6 (Ubuntu) |
Fix Released
|
Medium
|
Ubuntu Desktop Bugs |
Bug Description
Binary package hint: nautilus
1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu.
Description: Ubuntu 8.04.1
Release: 8.04
2) The version of the package you are using, via 'apt-cache policy packagename' or by checking in Synaptic.
N/A
3) What you expected to happen
Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI). The archive has the execute permission bits cleared (chmod 640). When the archive icon is double-clicked, the archive contents should be displayed in the Archive Manager. Under no circumstances code contained in the archive should be executed. Opening files should be safe, regardless of their contents.
4) What happened instead
The archive is nevertheless executed (presumably, java -jar <archive name> is called).
5) Security implication
User can be tricked into executing arbitrary code by opening an innocuously-looking file. This is similar to the MS-Word macro virus attacks, or a Vim modeline attacks.
6) Example scenario
Firefox downloads to Desktop by default. User can specify some file types to be downloaded automatically. It is reasonable to expect such files would be later opened by double-clicking on their Desktop icons. The file type does not (necessarily) correspond to the extension; the file name, including the extension, is fully under the control of the attacker. Firefox will save the file with the file name specified. When user double-clicks the archive they just downloaded, they expect the contents to be displayed. Instead, the code supplied by the attacker will be executed.
7) Workaround
It is possible to change this default behaviour by changing the file association: right click > Open With > select Archive Manager as the default app to open with. However, this is not based on permissions, so one has to right click > Open With > java when one wants to indeed execute the application then.
ProblemType: Bug
Architecture: amd64
Date: Sat Jan 3 10:12:45 2009
DistroRelease: Ubuntu 8.04
Package: firefox-3.0 3.0.5+nobinonly
PackageArchitec
ProcEnviron:
PATH=/
LANG=en_GB.UTF-8
SHELL=/bin/bash
SourcePackage: firefox-3.0
Uname: Linux 2.6.24-22-generic x86_64
Changed in nautilus: | |
status: | Unknown → New |
Changed in nautilus: | |
status: | New → Invalid |
Changed in nautilus: | |
status: | Unknown → Incomplete |
Changed in nautilus: | |
status: | Incomplete → Invalid |
Changed in nautilus: | |
importance: | Wishlist → High |
Changed in nautilus (Ubuntu): | |
importance: | High → Medium |
Changed in nautilus: | |
importance: | Unknown → Wishlist |
status: | Invalid → Unknown |
Thank you for your suggestion. However, the changes you are requesting aren't really a bug and require more discussion, which should be done on an appropriate mailing list or forum. http:// www.ubuntu. com/support/ community/ mailinglists might be a good start for determining which mailing list to use.
There are a couple additional comments I would like add:
* The program isn't technically executing as the result of a +x flag or anything like that, nautilus is actually calling a helper application and running it that way.
* naitilus can be set to open the file rather then run it if you go into the configuration, I believe the out of the box behaviour that they want is to have the file run.
* Java is generally pretty safe (although I am sure someone will post something to prove otherwise). Even if a malicious file was run the hopes are that the user isn't running the file as root (he/she would have to enter a password regardless) so the whole system would be affected...
I am wishlisting this issue as it is a valid one and I can see the reasoning from both sides.