Acrobat reader 4.05 temporary files

2002-06-20T00:00:00
ID SECURITYVULNS:DOC:3118
Type securityvulns
Reporter Securityvulns
Modified 2002-06-20T00:00:00

Description

  ------------------------------------------------------------
        Insecure temporary files in Acrobat Reader 4.05
                     Jarno.Huuskonen@iki.fi
                  $Date: 2002/06/20 07:21:29 $
  ------------------------------------------------------------

Author: Jarno Huuskonen <Jarno.Huuskonen@iki.fi>

Discovered: Wed 18 Jul 2001

Vendor status: Adobe (security@adobe.com) contacted on Thu 19 Jul 2001. Adobe said that they'll look into this. Acrobat Reader 5.05 appears to correct the problem.

Platforms: Acrobat Reader 4.05 (linux-ar-405.tar.gz). I tested this only on Linux, but I believe that all 'Unix' versions are affected.

Severity: Low: possible local file overwrite (symlink attack). (For more information about race conditions see[1][2][3]).

Abstract: Acrobat Reader (acroread) creates temporary files in /tmp (or in directory pointed by TMP environment variable) insecurely when opening or printing a pdf document.

Details: Out of curiosity I straced acroread to see if it uses temporary files. From the strace output I noticed that acroread does open temporary files in /tmp (or in $TMP if you have it set) without using O_EXCL, so acroread will follow symbolic links when creating the temporary file. Here is an example from an strace output that shows the problem:

stat("/tmp/Acro48IBR1", 0xbfffe958) = -1 ENOENT (No such file or directory) open("/tmp/Acro48IBR1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 5 ... ... unlink("/tmp/Acro48IBR1") = 0

These temporary files are created at least when opening a document and printing a document (Print To: Printer Command). (I assume the acrobat reader netscape plugin has the same problem. I didn't check this though).

Workaround: Set TMP environment variable to a secure directory (e.g. ~/tmp) before using acrobat reader (and possibly before launching netscape if you use the acrobat plugin). One possible way to achieve this would be to replace the acroread shell script with a script that sets TMP and then execs the original acroread (or directly modify the acroread script if the license permits this).

Solution: Acrobat Reader 5.05 appears to correct this problem. Download the updated version from http://www.adobe.com.

References: 1. David A. Wheeler: Secure Programming for Linux and Unix HOWTO. http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html

2. Kris Kennaway's post to Bugtraq about temporary files. http://lwn.net/2000/1221/a/sec-tmp.php3

3. Creating Secure Software: http://www.eforceglobal.com/pdf/whitepapers/SecureSoftware-01-10-01-FINAL.pdf

-- Jarno Huuskonen <Jarno.Huuskonen atsign iki.fi>