Acrobat reader 4.05 temporary files

From: Jarno Huuskonen (Jarno.Huuskonen+bugtraqat_private)
Date: Thu Jun 20 2002 - 00:25:16 PDT

Next message: Stefan Esser: "Apache Exploit"

Previous message: Trustix Secure Linux Advisor: "TSLSA-2002-0056 - apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

      ------------------------------------------------------------
            Insecure temporary files in Acrobat Reader 4.05
                         Jarno.Huuskonenat_private
                      $Date: 2002/06/20 07:21:29 $
      ------------------------------------------------------------

Author:
 Jarno Huuskonen <Jarno.Huuskonenat_private>

Discovered:
 Wed 18 Jul 2001

Vendor status:
 Adobe (securityat_private) contacted on Thu 19 Jul 2001. Adobe said
 that they'll look into this. Acrobat Reader 5.05 appears to correct the
 problem.

Platforms:
 Acrobat Reader 4.05 (linux-ar-405.tar.gz). I tested this only on Linux,
 but I believe that all 'Unix' versions are affected.

Severity:
 Low: possible local file overwrite (symlink attack). (For more
 information about race conditions see[1][2][3]).

Abstract:
 Acrobat Reader (acroread) creates temporary files in /tmp (or in
 directory pointed by TMP environment variable) insecurely when opening
 or printing a pdf document.

Details:
 Out of curiosity I straced acroread to see if it uses temporary files.
 From the strace output I noticed that acroread does open temporary
 files in /tmp (or in $TMP if you have it set) without using O_EXCL, so
 acroread will follow symbolic links when creating the temporary
 file. Here is an example from an strace output that shows the problem:

   stat("/tmp/Acro48IBR1", 0xbfffe958)     = -1 ENOENT (No such file or
                                                        directory)
   open("/tmp/Acro48IBR1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 5
     ...
     ...
   unlink("/tmp/Acro48IBR1")               = 0

 These temporary files are created at least when opening a document and
 printing a document (Print To: Printer Command). (I assume the acrobat
 reader netscape plugin has the same problem. I didn't check this
 though).

Workaround:
 Set TMP environment variable to a secure directory (e.g. ~/tmp) before
 using acrobat reader (and possibly before launching netscape if you use
 the acrobat plugin). One possible way to achieve this would be to
 replace the acroread shell script with a script that sets TMP and then
 execs the original acroread (or directly modify the acroread script if
 the license permits this).

Solution:
 Acrobat Reader 5.05 appears to correct this problem. Download the
 updated version from http://www.adobe.com.

References:
1.
 David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
 http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html

2.
 Kris Kennaway's post to Bugtraq about temporary files.
 http://lwn.net/2000/1221/a/sec-tmp.php3

3.
 Creating Secure Software: 
 http://www.eforceglobal.com/pdf/whitepapers/SecureSoftware-01-10-01-FINAL.pdf

-- 
Jarno Huuskonen <Jarno.Huuskonen atsign iki.fi>

Next message: Stefan Esser: "Apache Exploit"
Previous message: Trustix Secure Linux Advisor: "TSLSA-2002-0056 - apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 09:02:33 PDT