OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jarno Huuskonen (Jarno.Huuskonen+bugtraquku.fi)
Date: Thu Jun 20 2002 - 02:25:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

          ------------------------------------------------------------
                Insecure temporary files in Acrobat Reader 4.05
                             Jarno.Huuskoneniki.fi
                          $Date: 2002/06/20 07:21:29 $
          ------------------------------------------------------------

    Author:
     Jarno Huuskonen <Jarno.Huuskoneniki.fi>

    Discovered:
     Wed 18 Jul 2001

    Vendor status:
     Adobe (securityadobe.com) contacted on Thu 19 Jul 2001. Adobe said
     that they'll look into this. Acrobat Reader 5.05 appears to correct the
     problem.

    Platforms:
     Acrobat Reader 4.05 (linux-ar-405.tar.gz). I tested this only on Linux,
     but I believe that all 'Unix' versions are affected.

    Severity:
     Low: possible local file overwrite (symlink attack). (For more
     information about race conditions see[1][2][3]).

    Abstract:
     Acrobat Reader (acroread) creates temporary files in /tmp (or in
     directory pointed by TMP environment variable) insecurely when opening
     or printing a pdf document.

    Details:
     Out of curiosity I straced acroread to see if it uses temporary files.
     From the strace output I noticed that acroread does open temporary
     files in /tmp (or in $TMP if you have it set) without using O_EXCL, so
     acroread will follow symbolic links when creating the temporary
     file. Here is an example from an strace output that shows the problem:

       stat("/tmp/Acro48IBR1", 0xbfffe958) = -1 ENOENT (No such file or
                                                            directory)
       open("/tmp/Acro48IBR1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 5
         ...
         ...
       unlink("/tmp/Acro48IBR1") = 0

     These temporary files are created at least when opening a document and
     printing a document (Print To: Printer Command). (I assume the acrobat
     reader netscape plugin has the same problem. I didn't check this
     though).

    Workaround:
     Set TMP environment variable to a secure directory (e.g. ~/tmp) before
     using acrobat reader (and possibly before launching netscape if you use
     the acrobat plugin). One possible way to achieve this would be to
     replace the acroread shell script with a script that sets TMP and then
     execs the original acroread (or directly modify the acroread script if
     the license permits this).

    Solution:
     Acrobat Reader 5.05 appears to correct this problem. Download the
     updated version from http://www.adobe.com.

    References:
    1.
     David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
     http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html

    2.
     Kris Kennaway's post to Bugtraq about temporary files.
     http://lwn.net/2000/1221/a/sec-tmp.php3

    3.
     Creating Secure Software:
     http://www.eforceglobal.com/pdf/whitepapers/SecureSoftware-01-10-01-FINAL.pdf 

    -- 
Jarno Huuskonen <Jarno.Huuskonen atsign iki.fi>