Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 13 Jun 2017 16:48:04 -0400
From: Stiepan <>
To: "" <>
Subject: Re: OpenJDK: java(1): untrusted search path

Hi, confirmed on Ubuntu 32-bit running OpenJDK 1.8.0_131 (modified slightly your exploit to use "echo pwned" instead of using cowsay pwned).


-------- Original Message --------
Subject: [oss-security] OpenJDK: java(1): untrusted search path
Local Time: June 13, 2017 3:23 PM
UTC Time: June 13, 2017 3:23 PM

Running "java -help" can load code from a subdirectory of cwd:

$ javac
$ mkdir -p sun/launcher/resources/
$ mv launcher_en.class sun/launcher/resources/
$ java -help
&lt; pwned &gt;
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

This happens because:

* By default (i.e. when CLASSPATH env var was unset and neither -cp nor -jar
was specified), java sets "." as the user class path:

* The help message is apparently supposed to be internationalized.

* The Java"s localization machinery loads classes:

On Debian systems, jarwrapper (a binfmt-misc thing for running executable jar
files) is affected. It contains the following code:

if java -d32 2&gt;&amp;1 | grep "does not support" &gt; /dev/null; then

On 32-bit systems, this causes java to print the help message.

Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.