# Java Print Spool Data Leak on Linux and Solaris
# Report date: 10 Jan 2012
# Author: Andrei Costin (andrei@andreicostin.com)
# Product: Java JRE (latest Version 6 Update 30 and below)
# Platforms: Unix/Linux
# Flaw type: Insecure design problem
# Flaw category: Data leak
# Advisory: ACSA-2012-03
# Other SecAdv number: Secunia SA49472, CVE-2012-1717, Oracle S0154919

Repro.: 100%

Affected classes:
UnixPrintJob
PSPrinterJob

Root cause:
usage of File.createTempFile
(http://docs.oracle.com/javase/1.5.0/docs/api/java/io/File.html#createTempFile%28java.lang.String,%20java.lang.String,%20java.io.File%29)

File.createTempTile creates temporary spool files in the $TMP
directory, usually accessible by most other users in the system
(unless there is a specific $TMP set for each different user or group
of users, which certainly is not the case on most systems).

In contrast, Win32PrintJob uses OS-provided means for OS-assured
secured (or at least hoped so) print-job data spool.

Scenarios:
Since $TMP is accessible (see above assumption), an attacker has
access to it too.
An attacker, for example, can use tools for fs-change notifications
(either self-written, either off-the-shelf tools/scripts).
Once a file of type $TMP/postscrtip***.ps is created, an attacker is
notified and, given specific timing finetune, can lock-and-copy the
file before Java VM can delete it.
Hence, a data leak occurs without victim-user being aware of it.

The following are examples of tools that can be used for file-creation
notification:
http://stefan.buettcher.org/cs/fschange/index.html
http://lwn.net/Articles/311350/