LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-26-2007, 03:21 PM   #1
gymnart
Member
 
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331

Rep: Reputation: 30
Samsung driver security hole


I read about this on Slashdot:
http://it.slashdot.org/article.pl?sid=07/07/18/0319203

I was wondering if the problem is with the installer or the driver itself?

I had tried the driver from Samsung at first using the provided disk but I didn't like the way it ran. It had itself as lp and I wanted it to be in my list of drivers in CUPS. I also had noticed that the Samsung driver was owned by lp and the other printer drivers I have are owned by root. So I uninstalled the Samsung driver and found a way to manually install the driver using the instructions on linuxprinting.org (http://www.linuxprinting.org/show_pr...amsung-CLP-510) and I was able to add and manage my printer using CUPS and it now shows up in the list of printers as "SamsungCLP510" rather than "lp".

Do I still have to worry about this possible security hole?
 
Old 09-26-2007, 05:08 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
According to the CVE candidate, it's the installer.
Quote:
The wrap_setuid_third_party_application function in the installation script for the Samsung SCX-4200 Driver 2.00.95 adds setuid permissions to third party applications such as xsane and xscanimage, which allows local users to gain privileges.
So your next step after uninstall would be to revert the SUID changes.

You can see which file's perms it altered by looking at the installer script.

Last edited by win32sux; 09-26-2007 at 05:26 PM.
 
Old 09-26-2007, 05:43 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I just downloaded the driver and took a quick look at the installer.

Found these commented lines:
Code:
#	wrap_setuid_third_party_application xsane
#	wrap_setuid_third_party_application xscanimage

#	wrap_setuid_ooo_application soffice
#	wrap_setuid_ooo_application swriter
#	wrap_setuid_ooo_application simpress
#	wrap_setuid_ooo_application scalc
This is version 2.00.97, since I couldn't find 2.00.95. Perhaps they addressed the issue in 2.00.97 by commenting-out these lines. Can you check your 2.00.95 to see if they are uncommented? If so, then these are probably the binaries you want to look at when doing your reversion. BTW, it's possible that the uninstaller reverts the changes on it's own, I didn't look at that part.

Last edited by win32sux; 09-26-2007 at 06:04 PM.
 
Old 09-27-2007, 10:00 AM   #4
gymnart
Member
 
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331

Original Poster
Rep: Reputation: 30
I looked at the installer (the version I have is: 20070424151034937_UnifiedLinuxDriver) and this is what I saw:

Code:
wrap_setuid_third_party_application() {
	if echo "$1" | grep -q "/" ; then
		APP_NAME=$1
	else
		APP_NAME=`which $1 2> /dev/null`
	fi
	NEW_NAME=${APP_NAME}.bin

	if test -n "$APP_NAME" ; then
		if ! test -f "$NEW_NAME" && ! test -d "$NEW_NAME"; then
			mv "$APP_NAME" "$NEW_NAME"
			cp -af /opt/${VENDOR}/mfp/bin/suwrap "$APP_NAME"
			chown root:root "$APP_NAME"
			chmod 4755 "$APP_NAME"
		fi
	fi
}

wrap_setuid_ooo_application() {
	WRAPPING_BIN=`ls /usr/lib*/*/program/$1.bin /opt/*/program/$1.bin 2> /dev/null | head -1`
	if test -n "$WRAPPING_BIN" ; then
		${2}wrap_setuid_third_party_application $WRAPPING_BIN
	fi
}

symlink_sane_backend_and_mfpport_libraries() {
	( cd /usr/lib$1 && \
	rm -f libmfp.so libmfp.so.1 libmfpdetect.so libmfpdetect.so.1 ; \
	ln -s -f libmfp.so.1.0.1 libmfp.so.1 ; true ln -s -f libmfpdetect.so.1.0.1 libmfpdetect.so.1 ; \
	ln -s -f libmfp.so.1 libmfp.so ; true ln -s -f libmfpdetect.so.1 libmfpdetect.so )
	( cd /usr/lib$1/sane && \
	rm -f libsane-smfp.so libsane-smfp.so.1 ; \
	ln -s -f libsane-smfp.so.1.0.1 libsane-smfp.so.1 ; \
	ln -s -f libsane-smfp.so.1 libsane-smfp.so )
And:

Code:
	wrap_setuid_third_party_application xsane
	wrap_setuid_third_party_application xscanimage

	wrap_setuid_ooo_application soffice
	wrap_setuid_ooo_application swriter
	wrap_setuid_ooo_application simpress
	wrap_setuid_ooo_application scalc
In the uninstall section, I found:
Code:
unwrap_setuid_third_party_application() {
	if echo "$1" | grep -q "/" ; then
		APP_NAME=$1
	else
		APP_NAME=`which $1 2> /dev/null`
	fi
	NEW_NAME=${APP_NAME}.bin

	if test -n "$APP_NAME" ; then
		if test -f "$NEW_NAME" && ! test -d "$NEW_NAME"; then
			rm -f "$APP_NAME"
			mv "$NEW_NAME" "$APP_NAME"
		fi
	fi
}
I did not use the installer script but installed the driver manually.

I looked at xsane and xscanimage and saw that they are owned by root and their permissions are set to what the majority of the other apps are set to: -rwxr-xr-x. I guess I don't have to worry then?

Last edited by gymnart; 09-27-2007 at 10:15 AM. Reason: add more
 
Old 09-27-2007, 06:48 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Yeah, the version I got was 20070720152943906 (2.00.97).

Maybe post the output of this command so we can see which of your binaries are SUID:
Code:
find / -type f -perm +4000
 
Old 09-28-2007, 11:47 AM   #6
gymnart
Member
 
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331

Original Poster
Rep: Reputation: 30
So, this is the result of that command (carried out as myself not as root):

Code:
/bin/su
/bin/ping
/bin/eject
/bin/mount
/bin/ping6
/bin/umount
find: /etc/ssl/private: Permission denied
find: /etc/cups/ssl: Permission denied
find: /etc/cups/certs: Permission denied
find: /etc/news: Permission denied
find: /etc/skel/Documents: Permission denied
find: /etc/uucp: Permission denied
find: /etc/sysconfig/network/providers: Permission denied
find: /etc/autoinstall: Permission denied
/opt/kde3/bin/fileshareset
/opt/kde3/bin/artswrapper
/opt/kde3/bin/kcheckpass
/opt/kde3/bin/kpac_dhcp_helper
/opt/gnome/lib/libgnomesu/gnomesu-pam-backend
/opt/gnome/sbin/change-passwd
/opt/gnome/sbin/zapping_setup_fb
find: /tmp/YaST2-07914-9qQqtb: Permission denied
find: /tmp/siga: Permission denied
find: /tmp/YaST2-14422-Iw1VIb: Permission denied
find: /tmp/YaST2-07914-UxnsTG: Permission denied
find: /tmp/ksocket-root: Permission denied
find: /tmp/gconfd-root: Permission denied
find: /tmp/.wine-0: Permission denied
find: /tmp/kde-root: Permission denied
find: /tmp/orbit-root: Permission denied
find: /tmp/sax2-7014: Permission denied
find: /tmp/YaST2-07504-SNp6Jo: Permission denied
find: /tmp/YaST2-07460-azs8eV: Permission denied
find: /tmp/YaST2-06306-b4krS4: Permission denied
find: /tmp/YaST2-06463-r2GeLO: Permission denied
find: /tmp/YaST2-07049-ahmfoI: Permission denied
find: /tmp/YaST2-13866-A1wQns: Permission denied
find: /var/adm/backup: Permission denied
find: /var/adm/autoinstall: Permission denied
find: /var/lib/nfs/sm: Permission denied
find: /var/lib/nfs/sm.bak: Permission denied
find: /var/lib/xdm/authdir: Permission denied
find: /var/lib/acpi: Permission denied
find: /var/lib/pam_devperm: Permission denied
find: /var/lib/YaST2/backup_boot_sectors: Permission denied
find: /var/lib/nvidia: Permission denied
find: /var/lib/smpppd: Permission denied
find: /var/log/news: Permission denied
find: /var/log/YaST2: Permission denied
find: /var/log/apparmor: Permission denied
find: /var/run/sudo: Permission denied
find: /var/run/agentx: Permission denied
find: /var/run/xdmctl/dmctl: Permission denied
find: /var/tmp/kdecache-root: Permission denied
find: /var/spool/cron: Permission denied
find: /var/spool/cups: Permission denied
find: /var/spool/clientmqueue: Permission denied
find: /var/spool/amavis: Permission denied
find: /var/spool/atjobs: Permission denied
find: /var/spool/atspool: Permission denied
find: /var/spool/postfix/hold: Permission denied
find: /var/spool/postfix/corrupt: Permission denied
find: /var/spool/postfix/defer: Permission denied
find: /var/spool/postfix/flush: Permission denied
find: /var/spool/postfix/saved: Permission denied
find: /var/spool/postfix/trace: Permission denied
find: /var/spool/postfix/maildrop: Permission denied
find: /var/spool/postfix/active: Permission denied
find: /var/spool/postfix/bounce: Permission denied
find: /var/spool/postfix/deferred: Permission denied
find: /var/spool/postfix/public: Permission denied
find: /var/spool/postfix/incoming: Permission denied
find: /var/spool/postfix/private: Permission denied
/usr/bin/at
/usr/bin/gpg
/usr/bin/man
/usr/bin/rcp
/usr/bin/rsh
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/lppasswd
/usr/bin/vboxbeep
/usr/bin/crontab
/usr/bin/chage
/usr/bin/mandb
/usr/bin/ncplogin
/usr/bin/ncpmount
/usr/bin/cdrdao
/usr/bin/expiry
/usr/bin/ncpmap
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/rlogin
/usr/bin/nwsfind
/usr/bin/ncpumount
/usr/lib/mc/cons.saver
find: /usr/lib/man-db: Permission denied
/usr/lib/pt_chown
/usr/sbin/mgnokiidev
/usr/sbin/pppoe-wrapper
/usr/X11R6/bin/Xorg
/usr/X11R6/bin/v4l-conf
find: /usr/share/doc/packages/supertuxkart: Permission denied
find: /usr/share/YaST2/data/support: Permission denied
find: /proc/tty/driver: Permission denied
find: /proc/1/task/1/fd: Permission denied
find: /proc/1/fd: Permission denied
find: /proc/2/task/2/fd: Permission denied
find: /proc/2/fd: Permission denied
find: /proc/3/task/3/fd: Permission denied
find: /proc/3/fd: Permission denied
find: /proc/4/task/4/fd: Permission denied
find: /proc/4/fd: Permission denied
find: /proc/5/task/5/fd: Permission denied
find: /proc/5/fd: Permission denied
find: /proc/6/task/6/fd: Permission denied
find: /proc/6/fd: Permission denied
find: /proc/7/task/7/fd: Permission denied
find: /proc/7/fd: Permission denied
find: /proc/8/task/8/fd: Permission denied
find: /proc/8/fd: Permission denied
find: /proc/9/task/9/fd: Permission denied
find: /proc/9/fd: Permission denied
find: /proc/16/task/16/fd: Permission denied
find: /proc/16/fd: Permission denied
find: /proc/473/task/473/fd: Permission denied
find: /proc/473/fd: Permission denied
find: /proc/476/task/476/fd: Permission denied
find: /proc/476/fd: Permission denied
find: /proc/531/task/531/fd: Permission denied
find: /proc/531/fd: Permission denied
find: /proc/532/task/532/fd: Permission denied
find: /proc/532/fd: Permission denied
find: /proc/533/task/533/fd: Permission denied
find: /proc/533/fd: Permission denied
find: /proc/534/task/534/fd: Permission denied
find: /proc/534/fd: Permission denied
find: /proc/535/task/535/fd: Permission denied
find: /proc/535/fd: Permission denied
find: /proc/1125/task/1125/fd: Permission denied
find: /proc/1125/fd: Permission denied
find: /proc/1181/task/1181/fd: Permission denied
find: /proc/1181/fd: Permission denied
find: /proc/1304/task/1304/fd: Permission denied
find: /proc/1304/fd: Permission denied
find: /proc/1305/task/1305/fd: Permission denied
find: /proc/1305/fd: Permission denied
find: /proc/1326/task/1326/fd: Permission denied
find: /proc/1326/fd: Permission denied
find: /proc/1329/task/1329/fd: Permission denied
find: /proc/1329/fd: Permission denied
find: /proc/1384/task/1384/fd: Permission denied
find: /proc/1384/fd: Permission denied
find: /proc/1385/task/1385/fd: Permission denied
find: /proc/1385/fd: Permission denied
find: /proc/2427/task/2427/fd: Permission denied
find: /proc/2427/fd: Permission denied
find: /proc/2848/task/2848/fd: Permission denied
find: /proc/2848/fd: Permission denied
find: /proc/2853/task/2853/fd: Permission denied
find: /proc/2853/fd: Permission denied
find: /proc/3122/task/3122/fd: Permission denied
find: /proc/3122/fd: Permission denied
find: /proc/3138/task/3138/fd: Permission denied
find: /proc/3138/fd: Permission denied
find: /proc/3139/task/3139/fd: Permission denied
find: /proc/3139/fd: Permission denied
find: /proc/3500/task/3500/fd: Permission denied
find: /proc/3500/fd: Permission denied
find: /proc/4591/task/4591/fd: Permission denied
find: /proc/4591/fd: Permission denied
find: /proc/4597/task/4597/fd: Permission denied
find: /proc/4597/fd: Permission denied
find: /proc/4754/task/4754/fd: Permission denied
find: /proc/4754/fd: Permission denied
find: /proc/4757/task/4757/fd: Permission denied
find: /proc/4757/fd: Permission denied
find: /proc/4760/task/4760/fd: Permission denied
find: /proc/4760/fd: Permission denied
find: /proc/4763/task/4763/fd: Permission denied
find: /proc/4763/fd: Permission denied
find: /proc/5079/task/5079/fd: Permission denied
find: /proc/5079/fd: Permission denied
find: /proc/5088/task/5088/fd: Permission denied
find: /proc/5088/fd: Permission denied
find: /proc/5107/task/5107/fd: Permission denied
find: /proc/5107/fd: Permission denied
find: /proc/6260/task/6260/fd: Permission denied
find: /proc/6260/fd: Permission denied
find: /proc/6267/task/6267/fd: Permission denied
find: /proc/6267/fd: Permission denied
find: /proc/6479/task/6479/fd: Permission denied
find: /proc/6479/fd: Permission denied
find: /proc/6511/task/6511/fd: Permission denied
find: /proc/6511/task/6512/fd: Permission denied
find: /proc/6511/task/6513/fd: Permission denied
find: /proc/6511/task/6514/fd: Permission denied
find: /proc/6511/task/6515/fd: Permission denied
find: /proc/6511/task/6516/fd: Permission denied
find: /proc/6511/task/6517/fd: Permission denied
find: /proc/6511/task/7288/fd: Permission denied
find: /proc/6511/task/7290/fd: Permission denied
find: /proc/6511/fd: Permission denied
find: /proc/6537/task/6537/fd: Permission denied
find: /proc/6537/fd: Permission denied
find: /proc/6588/task/6588/fd: Permission denied
find: /proc/6588/fd: Permission denied
find: /proc/6611/task/6611/fd: Permission denied
find: /proc/6611/fd: Permission denied
find: /proc/6613/task/6613/fd: Permission denied
find: /proc/6613/fd: Permission denied
find: /proc/6614/task/6614/fd: Permission denied
find: /proc/6614/fd: Permission denied
find: /proc/6624/task/6624/fd: Permission denied
find: /proc/6624/fd: Permission denied
find: /proc/6626/task/6626/fd: Permission denied
find: /proc/6626/fd: Permission denied
find: /proc/6679/task/6679/fd: Permission denied
find: /proc/6679/fd: Permission denied
find: /proc/6682/task/6682/fd: Permission denied
find: /proc/6682/fd: Permission denied
find: /proc/6812/task/6812/fd: Permission denied
find: /proc/6812/fd: Permission denied
find: /proc/6835/task/6835/fd: Permission denied
find: /proc/6835/fd: Permission denied
find: /proc/6836/task/6836/fd: Permission denied
find: /proc/6836/fd: Permission denied
find: /proc/6837/task/6837/fd: Permission denied
find: /proc/6837/fd: Permission denied
find: /proc/6843/task/6843/fd: Permission denied
find: /proc/6843/fd: Permission denied
find: /proc/6844/task/6844/fd: Permission denied
find: /proc/6844/fd: Permission denied
find: /proc/6845/task/6845/fd: Permission denied
find: /proc/6845/fd: Permission denied
find: /proc/6899/task/6899/fd: Permission denied
find: /proc/6899/fd: Permission denied
find: /proc/6906/task/6906/fd: Permission denied
find: /proc/6906/fd: Permission denied
find: /proc/6912/task/6912/fd: Permission denied
find: /proc/6912/fd: Permission denied
find: /proc/7171/task/7171/fd: Permission denied
find: /proc/7171/fd: Permission denied
find: /proc/7307/task/7307/fd: Permission denied
find: /proc/7307/fd: Permission denied
find: /proc/7308/task/7308/fd: Permission denied
find: /proc/7308/fd: Permission denied
find: /proc/7309/task/7309/fd: Permission denied
find: /proc/7309/fd: Permission denied
find: /proc/7341/task/7341/fd: Permission denied
find: /proc/7341/fd: Permission denied
find: /proc/7342/task/7342/fd: Permission denied
find: /proc/7342/fd: Permission denied
/sbin/isdnctrl
find: /root: Permission denied
find: /media/floppy: No medium found
 
Old 09-28-2007, 04:33 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Any of the mentioned binaries appear in there? I took a quick look and didn't see any but it's hard to tell with all those permission denieds. Why don't you run it as root to make it clearer?

Last edited by win32sux; 09-28-2007 at 04:36 PM.
 
Old 09-29-2007, 05:00 PM   #8
gymnart
Member
 
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331

Original Poster
Rep: Reputation: 30
I did the command again as root like you said and I didn't see any mention of xscanimage, xsane, soffice, swriter, scalc, or simpress.
 
  


Reply

Tags
driver, hole, printer, samsung, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
x11vnc security hole to X? nakko Linux - Security 4 06-19-2006 06:26 PM
find security hole... os2 Linux - Security 5 10-13-2005 11:16 PM
check the security hole ust Linux - Security 6 09-10-2004 05:42 PM
security hole or convenience? carboncopy Slackware 3 08-13-2003 03:07 AM
Security Hole -Samba dvong3 Linux - Security 1 03-21-2003 02:38 PM


All times are GMT -5. The time now is 10:53 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration