SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Acrobat/Reader Vendors:   Adobe Systems Incorporated
Adobe Acrobat Reader for Linux Uses Unsafe Temporary Files
SecurityTracker Alert ID:  1004606
SecurityTracker URL:  http://securitytracker.com/id/1004606
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 20 2002
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  
Version(s): 4.05
Description:   A potential vulnerability was reported in Adobe Acrobat Reader version 4.05 for Linux systems. A user may be able to cause another user to overwrite files.

It is reported that Acrobat Reader (acroread) creates temporary files in /tmp or in the directory specified by the TMP environment variable without determining if the temporary file exists or not.

If a local user can determine the file name that Acrobat will use, the user can create a symbolic link from the temporary file name to another file on the server. Then, if a target (victim) user opens or prints a PDF file, the linked file may be overwritten with the privileges of the target user.

The report did not indicate if the file names used by Acrobat were predictable or not. An example file name is '/tmp/Acro48IBR1'.

Impact:   A local user may be able to cause a target user to overwrite files on the system when the target user opens a PDF file for viewing or printing.
Solution:   The author of the report indicates that Adobe Acrobat Reader version 5.05 appears to be not vulnerable. The new version is available at:

http://www.adobe.com

The author of the report has provided the following workaround:

"Set TMP environment variable to a secure directory (e.g. ~/tmp) before using acrobat reader (and possibly before launching netscape if you use the acrobat plugin). One possible way to achieve this would be to replace the acroread shell script with a script that sets TMP and then execs the original acroread (or directly modify the acroread script if the license permits this).

Vendor URL:  www.adobe.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(SGI Issues Fix for IRIX) Re: Adobe Acrobat Reader for Linux Uses Unsafe Temporary Files
SGI plans to issue a fix as part of IRIX 6.5.19.



 Source Message Contents

Subject:  Acrobat reader 4.05 temporary files



      ------------------------------------------------------------
            Insecure temporary files in Acrobat Reader 4.05
                         Jarno.Huuskonen@iki.fi
                      $Date: 2002/06/20 07:21:29 $
      ------------------------------------------------------------

Author:
 Jarno Huuskonen <Jarno.Huuskonen@iki.fi>

Discovered:
 Wed 18 Jul 2001

Vendor status:
 Adobe (security@adobe.com) contacted on Thu 19 Jul 2001. Adobe said
 that they'll look into this. Acrobat Reader 5.05 appears to correct the
 problem.

Platforms:
 Acrobat Reader 4.05 (linux-ar-405.tar.gz). I tested this only on Linux,
 but I believe that all 'Unix' versions are affected.

Severity:
 Low: possible local file overwrite (symlink attack). (For more
 information about race conditions see[1][2][3]).

Abstract:
 Acrobat Reader (acroread) creates temporary files in /tmp (or in
 directory pointed by TMP environment variable) insecurely when opening
 or printing a pdf document.

Details:
 Out of curiosity I straced acroread to see if it uses temporary files.
 From the strace output I noticed that acroread does open temporary
 files in /tmp (or in $TMP if you have it set) without using O_EXCL, so
 acroread will follow symbolic links when creating the temporary
 file. Here is an example from an strace output that shows the problem:

   stat("/tmp/Acro48IBR1", 0xbfffe958)     = -1 ENOENT (No such file or
                                                        directory)
   open("/tmp/Acro48IBR1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 5
     ...
     ...
   unlink("/tmp/Acro48IBR1")               = 0

 These temporary files are created at least when opening a document and
 printing a document (Print To: Printer Command). (I assume the acrobat
 reader netscape plugin has the same problem. I didn't check this
 though).

Workaround:
 Set TMP environment variable to a secure directory (e.g. ~/tmp) before
 using acrobat reader (and possibly before launching netscape if you use
 the acrobat plugin). One possible way to achieve this would be to
 replace the acroread shell script with a script that sets TMP and then
 execs the original acroread (or directly modify the acroread script if
 the license permits this).

Solution:
 Acrobat Reader 5.05 appears to correct this problem. Download the
 updated version from http://www.adobe.com.

References:
1.
 David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
 http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html

2.
 Kris Kennaway's post to Bugtraq about temporary files.
 http://lwn.net/2000/1221/a/sec-tmp.php3

3.
 Creating Secure Software: 
 http://www.eforceglobal.com/pdf/whitepapers/SecureSoftware-01-10-01-FINAL.pdf

-- 
Jarno Huuskonen <Jarno.Huuskonen atsign iki.fi>

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC