Name: rl16235 Date: 12/19/2000
java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
Java HotSpot(TM) Client VM (build 1.3.0-C, mixed mode)
jarsigner -verify returns jar verified in the following cases:
1. files have been added to the jar file.
2. The manifest has been updated
This can cause the following potential security problems.
Someone adds classes to a jar file and updates the manifest to run these rogue
classes as the main class. Someone does a jarsigner -verify says the jar file
has been verified. They then run the jar file and it deletes their hard drive
(for example).
Here is an example which demonstrates the problem.
Create the following files:
=========================
HelloWorld.java
public class HelloWorld
{
public static void main (String [] args)
{
System.out.println ("Hello World!!");
}
}
========================
RogueHelloWorld.java
public class RogueHelloWorld
{
public static void main (String [] args)
{
System.out.println ("Ha, your hard drive has just been deleted, sucker.");
}
}
===========================
Manifest1.mf
Main-Class: HelloWorld
===========================
Manifest2.mf
Main-Class: RogueHelloWorld
===========================
2) perform the following steps:
a) Compile the java files:
javac *.java
b) Create a key for signing
keytool -genkey -alias test -keystore test.store -storepass 123456 -keypass
123456
Use any values you want for the prompts from keytool
c) Jar up helloworld
jar cvfm hello.jar Manifest1.mf HelloWorld.class
d) Sign hello.jar
jarsigner -keystore test.store -storepass 123456 hello.jar test
e) Verify hello.jar is signed
jarsigner -verify hello.jar
Get the following result
jar verified.
f) run jar file
java -jar hello.jar
Get the following result
Hello World!!
g) Someone later adds rogue classes to jar file
jar uvfm hello.jar Manifest2.mf RogueHelloWorld.class
h) Verify hello.jar is signed
jarsigner -verify hello.jar
Get the following result
jar verified.
i) run jar file
java -jar hello.jar
Get the following result
Ha, your hard drive has just been deleted, sucker.
I believe that step h should return that the jar file is not signed properly to
inform the user that the file has been tampered with. I believe this problem
exists on all platforms, but I can only test on Windows NT 4.0. I know the
jarsigner documentation states that this is acceptable, but I believe it is a
major security risk. At the least the user should be notified that the manifest
may have been tampered with and additional unsigned files have been added.
This is all additional information from report with the internal ID of 107042
###@###.### 2000-12-19
reproduced it on Solaris2.7 with JDK1.3.
(Review ID: 107122)
======================================================================