Adobe Acrobat Reader for Linux Uses Unsafe Temporary Files
SecurityTracker Alert ID: 1004606|
SecurityTracker URL: http://securitytracker.com/id/1004606
(Links to External Site)
Date: Jun 20 2002
Modification of system information, Modification of user information|
Fix Available: Yes |
A potential vulnerability was reported in Adobe Acrobat Reader version 4.05 for Linux systems. A user may be able to cause another user to overwrite files.|
It is reported that Acrobat Reader (acroread) creates temporary files in /tmp or in the directory specified by the TMP environment variable without determining if the temporary file exists or not.
If a local user can determine the file name that Acrobat will use, the user can create a symbolic link from the temporary file name to another file on the server. Then, if a target (victim) user opens or prints a PDF file, the linked file may be overwritten with the privileges of the target user.
The report did not indicate if the file names used by Acrobat were predictable or not. An example file name is '/tmp/Acro48IBR1'.
A local user may be able to cause a target user to overwrite files on the system when the target user opens a PDF file for viewing or printing.|
The author of the report indicates that Adobe Acrobat Reader version 5.05 appears to be not vulnerable. The new version is available at:|
The author of the report has provided the following workaround:
"Set TMP environment variable to a secure directory (e.g. ~/tmp) before using acrobat reader (and possibly before launching netscape if you use the acrobat plugin). One possible way to achieve this would be to replace the acroread shell script with a script that sets TMP and then execs the original acroread (or directly modify the acroread script if the license permits this).
Vendor URL: www.adobe.com/ (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Acrobat reader 4.05 temporary files|
Insecure temporary files in Acrobat Reader 4.05
$Date: 2002/06/20 07:21:29 $
Jarno Huuskonen <Jarno.Huuskonen@iki.fi>
Wed 18 Jul 2001
Adobe (email@example.com) contacted on Thu 19 Jul 2001. Adobe said
that they'll look into this. Acrobat Reader 5.05 appears to correct the
Acrobat Reader 4.05 (linux-ar-405.tar.gz). I tested this only on Linux,
but I believe that all 'Unix' versions are affected.
Low: possible local file overwrite (symlink attack). (For more
information about race conditions see).
Acrobat Reader (acroread) creates temporary files in /tmp (or in
directory pointed by TMP environment variable) insecurely when opening
or printing a pdf document.
Out of curiosity I straced acroread to see if it uses temporary files.
From the strace output I noticed that acroread does open temporary
files in /tmp (or in $TMP if you have it set) without using O_EXCL, so
acroread will follow symbolic links when creating the temporary
file. Here is an example from an strace output that shows the problem:
stat("/tmp/Acro48IBR1", 0xbfffe958) = -1 ENOENT (No such file or
open("/tmp/Acro48IBR1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 5
unlink("/tmp/Acro48IBR1") = 0
These temporary files are created at least when opening a document and
printing a document (Print To: Printer Command). (I assume the acrobat
reader netscape plugin has the same problem. I didn't check this
Set TMP environment variable to a secure directory (e.g. ~/tmp) before
using acrobat reader (and possibly before launching netscape if you use
the acrobat plugin). One possible way to achieve this would be to
replace the acroread shell script with a script that sets TMP and then
execs the original acroread (or directly modify the acroread script if
the license permits this).
Acrobat Reader 5.05 appears to correct this problem. Download the
updated version from http://www.adobe.com.
David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
Kris Kennaway's post to Bugtraq about temporary files.
Creating Secure Software:
Jarno Huuskonen <Jarno.Huuskonen atsign iki.fi>