OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dr Andreas F Muller (afmothello.ch)
Date: Sun Apr 14 2002 - 18:39:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello everyone,

    after some frustration with the HP Photosmart printer driver not
    being as smart as the name suggests and HP support not as suppor-
    tive as I would wish about the issues raised below, I've decided
    to bring the following multiple security vulnerabilities of the
    HP Photosmart/Deskjet printer drivers for Mac OS X to the list's
    attention.

    The Photosmart family is a line of photo quality ink jet printers
    which can be used standalone (they have flash card readers) or
    together with a computer via either USB or the parallel port.
    Drivers for the various Windows and Mac OS versions are available
    from HP's web site, the current version of the driver for Mac OS
    X seems to be 1.2.1. It comes as a .sit.bin file, but when ex-
    panded, it turns into a program. In Windows, you would call this
    a self extracting archive. We just love self extracting archives,
    don't we?

    The installer adds a new package to the system (why the hell did
    they choose not to use the system's package installation mechan-
    ism?). The most important thing intalled with this package is an
    application called hp_imaging_connectivity.app, you will find it
    in /Library/Printers/hp. Applications in Mac OS X are really
    directories containing executables, libraries and other stuff,
    but look at the permissions of this particular directory:

    > [celia:/Library/Printers/hp] afm% ls -l
    > total 0
    > drwxrwxr-x 4 root admin 264 Apr 14 23:55 Utilities
    > drwxrwxr-x 4 root admin 264 Jan 8 01:04 deskjet
    > drwxrwxrwx 4 root admin 92 Apr 14 23:55 hp_imaging_connectivity.app
    > drwxrwxr-x 6 root admin 264 Apr 14 23:55 photosmart

    Somewhere deep inside the application directory, you'll find the
    binary:

    > -rwxrwxrwx 1 root admin 1013938 Dec 6 21:37 hp_imaging_connectivity

    Here comes the exercise: why does this lead to a root compromise?

    Here is the answer (or was that too easy?):

        Well, there are actually several ways to do it. First of all,
        the program is started whenever someone logs into the system.
        If root logs into the system, well then
        hp_imaging_connectivity is started as root, bingo. Replace
        the program by your favorite root kit installation program.

        But the really interesting thing is that it is not even
        necessary that root ever logs into the system, it's good
        enough if an administrator does. Every member of the group
        admin (and users are administrators precisely if they are
        members of this group) are allowed to execute any command
        they like as root, the /etc/sudoers file contains the line

            %admin ALL=(ALL) ALL

        for this purpose. This means that a (easily) sub-
        verted hp_imaging_connectivity binary can use the netinfo
        commands to add a new root account, can make sure the secure
        shell daemon is running (it's off by default in Mac OS
        X), enable some of the less secure services in
        /etc/inetd.conf (they are all off by default) or open any
        other hole. Just think about all the wonderful possibilities
        for applets or other forms of mobile code. The scary
        thing is: the administrator cannot actually prevent the
        program from being executed, as she will have to log in as
        administrator to do this!

    From the directory listing above we must conclude that not only
    the Photosmart printers are affected, but also the Deskjet
    series, which increases the market share for this hole consider-
    ably.

    You may counter that the user will notice that the printer is not
    working when hp_imaging_connectivity has been subverted. Well,
    not really. For some reason, and I have not found out why, the
    printer does not work if the user who installed the driver is
    different from the user who tries to use it. Consequently, the
    printer is not working by default!

    So if a user wants to be sure she can print, she will have to in-
    stall the printer driver anew, and she will have to be an ad-
    ministrator. All printer users must therefore be administrators,
    the root compromise is thus entirely trivial.

    There are of course some other issues with HPs somewhat misguided
    approach: as the printer driver is an application tied to the
    user's desktop, it's impossible to print on the printer unless
    logged in on the console. And while the printer is spitting out
    pages, it is impossible to log out!

    My guess is that hp_imaging_connectivity was ported from a single
    user system without any security (like Mac OS 9 or Windows). Un-
    fortunately, there does not seem to be a workaround other than
    not buying a HP ink jet printer for use with Mac OS X.

    Mit herzlichem Gruss

                                            Andreas Mueller

    ------------------------------------------------------------
    Dr. Andreas Mueller Beratung und Entwicklung
    Bubental 53, CH - 8852 Altendorf <afmothello.ch>
    Voice: +41 55 462 1483 Fax/Data: +41 55 462 1485
    ------------------------------------------------------------