Hello everyone,
after some frustration with the HP Photosmart printer driver not
being as smart as the name suggests and HP support not as suppor-
tive as I would wish about the issues raised below, I've decided
to bring the following multiple security vulnerabilities of the
HP Photosmart/Deskjet printer drivers for Mac OS X to the list's
attention.
The Photosmart family is a line of photo quality ink jet printers
which can be used standalone (they have flash card readers) or
together with a computer via either USB or the parallel port.
Drivers for the various Windows and Mac OS versions are available
from HP's web site, the current version of the driver for Mac OS
X seems to be 1.2.1. It comes as a .sit.bin file, but when ex-
panded, it turns into a program. In Windows, you would call this
a self extracting archive. We just love self extracting archives,
don't we?
The installer adds a new package to the system (why the hell did
they choose not to use the system's package installation mechan-
ism?). The most important thing intalled with this package is an
application called hp_imaging_connectivity.app, you will find it
in /Library/Printers/hp. Applications in Mac OS X are really
directories containing executables, libraries and other stuff,
but look at the permissions of this particular directory:
> [celia:/Library/Printers/hp] afm% ls -l
> total 0
> drwxrwxr-x 4 root admin 264 Apr 14 23:55 Utilities
> drwxrwxr-x 4 root admin 264 Jan 8 01:04 deskjet
> drwxrwxrwx 4 root admin 92 Apr 14 23:55 hp_imaging_connectivity.app
> drwxrwxr-x 6 root admin 264 Apr 14 23:55 photosmart
Somewhere deep inside the application directory, you'll find the
binary:
> -rwxrwxrwx 1 root admin 1013938 Dec 6 21:37 hp_imaging_connectivity
Here comes the exercise: why does this lead to a root compromise?
Here is the answer (or was that too easy?):
Well, there are actually several ways to do it. First of all,
the program is started whenever someone logs into the system.
If root logs into the system, well then
hp_imaging_connectivity is started as root, bingo. Replace
the program by your favorite root kit installation program.
But the really interesting thing is that it is not even
necessary that root ever logs into the system, it's good
enough if an administrator does. Every member of the group
admin (and users are administrators precisely if they are
members of this group) are allowed to execute any command
they like as root, the /etc/sudoers file contains the line
%admin ALL=(ALL) ALL
for this purpose. This means that a (easily) sub-
verted hp_imaging_connectivity binary can use the netinfo
commands to add a new root account, can make sure the secure
shell daemon is running (it's off by default in Mac OS
X), enable some of the less secure services in
/etc/inetd.conf (they are all off by default) or open any
other hole. Just think about all the wonderful possibilities
for applets or other forms of mobile code. The scary
thing is: the administrator cannot actually prevent the
program from being executed, as she will have to log in as
administrator to do this!
From the directory listing above we must conclude that not only
the Photosmart printers are affected, but also the Deskjet
series, which increases the market share for this hole consider-
ably.
You may counter that the user will notice that the printer is not
working when hp_imaging_connectivity has been subverted. Well,
not really. For some reason, and I have not found out why, the
printer does not work if the user who installed the driver is
different from the user who tries to use it. Consequently, the
printer is not working by default!
So if a user wants to be sure she can print, she will have to in-
stall the printer driver anew, and she will have to be an ad-
ministrator. All printer users must therefore be administrators,
the root compromise is thus entirely trivial.
There are of course some other issues with HPs somewhat misguided
approach: as the printer driver is an application tied to the
user's desktop, it's impossible to print on the printer unless
logged in on the console. And while the printer is spitting out
pages, it is impossible to log out!
My guess is that hp_imaging_connectivity was ported from a single
user system without any security (like Mac OS 9 or Windows). Un-
fortunately, there does not seem to be a workaround other than
not buying a HP ink jet printer for use with Mac OS X.
Mit herzlichem Gruss
Andreas Mueller
------------------------------------------------------------
Dr. Andreas Mueller Beratung und Entwicklung
Bubental 53, CH - 8852 Altendorf <afmat_private>
Voice: +41 55 462 1483 Fax/Data: +41 55 462 1485
------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 13:34:14 PDT