Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
09-26-2007, 03:21 PM
|
#1
|
|
Member
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331
Rep: 
|
Samsung driver security hole
I read about this on Slashdot:
http://it.slashdot.org/article.pl?sid=07/07/18/0319203
I was wondering if the problem is with the installer or the driver itself?
I had tried the driver from Samsung at first using the provided disk but I didn't like the way it ran. It had itself as lp and I wanted it to be in my list of drivers in CUPS. I also had noticed that the Samsung driver was owned by lp and the other printer drivers I have are owned by root. So I uninstalled the Samsung driver and found a way to manually install the driver using the instructions on linuxprinting.org ( http://www.linuxprinting.org/show_pr...amsung-CLP-510) and I was able to add and manage my printer using CUPS and it now shows up in the list of printers as "SamsungCLP510" rather than "lp".
Do I still have to worry about this possible security hole? |
|
|
|
|
09-26-2007, 05:08 PM
|
#2
|
|
Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
According to the CVE candidate, it's the installer.
Quote:
|
The wrap_setuid_third_party_application function in the installation script for the Samsung SCX-4200 Driver 2.00.95 adds setuid permissions to third party applications such as xsane and xscanimage, which allows local users to gain privileges.
|
So your next step after uninstall would be to revert the SUID changes.
You can see which file's perms it altered by looking at the installer script.
Last edited by win32sux; 09-26-2007 at 05:26 PM.
|
|
|
|
|
09-26-2007, 05:43 PM
|
#3
|
|
Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
I just downloaded the driver and took a quick look at the installer.
Found these commented lines:
Code:
# wrap_setuid_third_party_application xsane
# wrap_setuid_third_party_application xscanimage
# wrap_setuid_ooo_application soffice
# wrap_setuid_ooo_application swriter
# wrap_setuid_ooo_application simpress
# wrap_setuid_ooo_application scalc
This is version 2.00.97, since I couldn't find 2.00.95. Perhaps they addressed the issue in 2.00.97 by commenting-out these lines. Can you check your 2.00.95 to see if they are uncommented? If so, then these are probably the binaries you want to look at when doing your reversion. BTW, it's possible that the uninstaller reverts the changes on it's own, I didn't look at that part.
Last edited by win32sux; 09-26-2007 at 06:04 PM.
|
|
|
|
|
09-27-2007, 10:00 AM
|
#4
|
|
Member
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331
Original Poster
Rep:
|
I looked at the installer (the version I have is: 20070424151034937_UnifiedLinuxDriver) and this is what I saw:
Code:
wrap_setuid_third_party_application() {
if echo "$1" | grep -q "/" ; then
APP_NAME=$1
else
APP_NAME=`which $1 2> /dev/null`
fi
NEW_NAME=${APP_NAME}.bin
if test -n "$APP_NAME" ; then
if ! test -f "$NEW_NAME" && ! test -d "$NEW_NAME"; then
mv "$APP_NAME" "$NEW_NAME"
cp -af /opt/${VENDOR}/mfp/bin/suwrap "$APP_NAME"
chown root:root "$APP_NAME"
chmod 4755 "$APP_NAME"
fi
fi
}
wrap_setuid_ooo_application() {
WRAPPING_BIN=`ls /usr/lib*/*/program/$1.bin /opt/*/program/$1.bin 2> /dev/null | head -1`
if test -n "$WRAPPING_BIN" ; then
${2}wrap_setuid_third_party_application $WRAPPING_BIN
fi
}
symlink_sane_backend_and_mfpport_libraries() {
( cd /usr/lib$1 && \
rm -f libmfp.so libmfp.so.1 libmfpdetect.so libmfpdetect.so.1 ; \
ln -s -f libmfp.so.1.0.1 libmfp.so.1 ; true ln -s -f libmfpdetect.so.1.0.1 libmfpdetect.so.1 ; \
ln -s -f libmfp.so.1 libmfp.so ; true ln -s -f libmfpdetect.so.1 libmfpdetect.so )
( cd /usr/lib$1/sane && \
rm -f libsane-smfp.so libsane-smfp.so.1 ; \
ln -s -f libsane-smfp.so.1.0.1 libsane-smfp.so.1 ; \
ln -s -f libsane-smfp.so.1 libsane-smfp.so )
And:
Code:
wrap_setuid_third_party_application xsane
wrap_setuid_third_party_application xscanimage
wrap_setuid_ooo_application soffice
wrap_setuid_ooo_application swriter
wrap_setuid_ooo_application simpress
wrap_setuid_ooo_application scalc
In the uninstall section, I found:
Code:
unwrap_setuid_third_party_application() {
if echo "$1" | grep -q "/" ; then
APP_NAME=$1
else
APP_NAME=`which $1 2> /dev/null`
fi
NEW_NAME=${APP_NAME}.bin
if test -n "$APP_NAME" ; then
if test -f "$NEW_NAME" && ! test -d "$NEW_NAME"; then
rm -f "$APP_NAME"
mv "$NEW_NAME" "$APP_NAME"
fi
fi
}
I did not use the installer script but installed the driver manually.
I looked at xsane and xscanimage and saw that they are owned by root and their permissions are set to what the majority of the other apps are set to: -rwxr-xr-x. I guess I don't have to worry then?
Last edited by gymnart; 09-27-2007 at 10:15 AM.
Reason: add more
|
|
|
|
|
09-27-2007, 06:48 PM
|
#5
|
|
Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Yeah, the version I got was 20070720152943906 (2.00.97).
Maybe post the output of this command so we can see which of your binaries are SUID:
Code:
find / -type f -perm +4000
|
|
|
|
|
09-28-2007, 11:47 AM
|
#6
|
|
Member
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331
Original Poster
Rep:
|
So, this is the result of that command (carried out as myself not as root):
Code:
/bin/su
/bin/ping
/bin/eject
/bin/mount
/bin/ping6
/bin/umount
find: /etc/ssl/private: Permission denied
find: /etc/cups/ssl: Permission denied
find: /etc/cups/certs: Permission denied
find: /etc/news: Permission denied
find: /etc/skel/Documents: Permission denied
find: /etc/uucp: Permission denied
find: /etc/sysconfig/network/providers: Permission denied
find: /etc/autoinstall: Permission denied
/opt/kde3/bin/fileshareset
/opt/kde3/bin/artswrapper
/opt/kde3/bin/kcheckpass
/opt/kde3/bin/kpac_dhcp_helper
/opt/gnome/lib/libgnomesu/gnomesu-pam-backend
/opt/gnome/sbin/change-passwd
/opt/gnome/sbin/zapping_setup_fb
find: /tmp/YaST2-07914-9qQqtb: Permission denied
find: /tmp/siga: Permission denied
find: /tmp/YaST2-14422-Iw1VIb: Permission denied
find: /tmp/YaST2-07914-UxnsTG: Permission denied
find: /tmp/ksocket-root: Permission denied
find: /tmp/gconfd-root: Permission denied
find: /tmp/.wine-0: Permission denied
find: /tmp/kde-root: Permission denied
find: /tmp/orbit-root: Permission denied
find: /tmp/sax2-7014: Permission denied
find: /tmp/YaST2-07504-SNp6Jo: Permission denied
find: /tmp/YaST2-07460-azs8eV: Permission denied
find: /tmp/YaST2-06306-b4krS4: Permission denied
find: /tmp/YaST2-06463-r2GeLO: Permission denied
find: /tmp/YaST2-07049-ahmfoI: Permission denied
find: /tmp/YaST2-13866-A1wQns: Permission denied
find: /var/adm/backup: Permission denied
find: /var/adm/autoinstall: Permission denied
find: /var/lib/nfs/sm: Permission denied
find: /var/lib/nfs/sm.bak: Permission denied
find: /var/lib/xdm/authdir: Permission denied
find: /var/lib/acpi: Permission denied
find: /var/lib/pam_devperm: Permission denied
find: /var/lib/YaST2/backup_boot_sectors: Permission denied
find: /var/lib/nvidia: Permission denied
find: /var/lib/smpppd: Permission denied
find: /var/log/news: Permission denied
find: /var/log/YaST2: Permission denied
find: /var/log/apparmor: Permission denied
find: /var/run/sudo: Permission denied
find: /var/run/agentx: Permission denied
find: /var/run/xdmctl/dmctl: Permission denied
find: /var/tmp/kdecache-root: Permission denied
find: /var/spool/cron: Permission denied
find: /var/spool/cups: Permission denied
find: /var/spool/clientmqueue: Permission denied
find: /var/spool/amavis: Permission denied
find: /var/spool/atjobs: Permission denied
find: /var/spool/atspool: Permission denied
find: /var/spool/postfix/hold: Permission denied
find: /var/spool/postfix/corrupt: Permission denied
find: /var/spool/postfix/defer: Permission denied
find: /var/spool/postfix/flush: Permission denied
find: /var/spool/postfix/saved: Permission denied
find: /var/spool/postfix/trace: Permission denied
find: /var/spool/postfix/maildrop: Permission denied
find: /var/spool/postfix/active: Permission denied
find: /var/spool/postfix/bounce: Permission denied
find: /var/spool/postfix/deferred: Permission denied
find: /var/spool/postfix/public: Permission denied
find: /var/spool/postfix/incoming: Permission denied
find: /var/spool/postfix/private: Permission denied
/usr/bin/at
/usr/bin/gpg
/usr/bin/man
/usr/bin/rcp
/usr/bin/rsh
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/lppasswd
/usr/bin/vboxbeep
/usr/bin/crontab
/usr/bin/chage
/usr/bin/mandb
/usr/bin/ncplogin
/usr/bin/ncpmount
/usr/bin/cdrdao
/usr/bin/expiry
/usr/bin/ncpmap
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/rlogin
/usr/bin/nwsfind
/usr/bin/ncpumount
/usr/lib/mc/cons.saver
find: /usr/lib/man-db: Permission denied
/usr/lib/pt_chown
/usr/sbin/mgnokiidev
/usr/sbin/pppoe-wrapper
/usr/X11R6/bin/Xorg
/usr/X11R6/bin/v4l-conf
find: /usr/share/doc/packages/supertuxkart: Permission denied
find: /usr/share/YaST2/data/support: Permission denied
find: /proc/tty/driver: Permission denied
find: /proc/1/task/1/fd: Permission denied
find: /proc/1/fd: Permission denied
find: /proc/2/task/2/fd: Permission denied
find: /proc/2/fd: Permission denied
find: /proc/3/task/3/fd: Permission denied
find: /proc/3/fd: Permission denied
find: /proc/4/task/4/fd: Permission denied
find: /proc/4/fd: Permission denied
find: /proc/5/task/5/fd: Permission denied
find: /proc/5/fd: Permission denied
find: /proc/6/task/6/fd: Permission denied
find: /proc/6/fd: Permission denied
find: /proc/7/task/7/fd: Permission denied
find: /proc/7/fd: Permission denied
find: /proc/8/task/8/fd: Permission denied
find: /proc/8/fd: Permission denied
find: /proc/9/task/9/fd: Permission denied
find: /proc/9/fd: Permission denied
find: /proc/16/task/16/fd: Permission denied
find: /proc/16/fd: Permission denied
find: /proc/473/task/473/fd: Permission denied
find: /proc/473/fd: Permission denied
find: /proc/476/task/476/fd: Permission denied
find: /proc/476/fd: Permission denied
find: /proc/531/task/531/fd: Permission denied
find: /proc/531/fd: Permission denied
find: /proc/532/task/532/fd: Permission denied
find: /proc/532/fd: Permission denied
find: /proc/533/task/533/fd: Permission denied
find: /proc/533/fd: Permission denied
find: /proc/534/task/534/fd: Permission denied
find: /proc/534/fd: Permission denied
find: /proc/535/task/535/fd: Permission denied
find: /proc/535/fd: Permission denied
find: /proc/1125/task/1125/fd: Permission denied
find: /proc/1125/fd: Permission denied
find: /proc/1181/task/1181/fd: Permission denied
find: /proc/1181/fd: Permission denied
find: /proc/1304/task/1304/fd: Permission denied
find: /proc/1304/fd: Permission denied
find: /proc/1305/task/1305/fd: Permission denied
find: /proc/1305/fd: Permission denied
find: /proc/1326/task/1326/fd: Permission denied
find: /proc/1326/fd: Permission denied
find: /proc/1329/task/1329/fd: Permission denied
find: /proc/1329/fd: Permission denied
find: /proc/1384/task/1384/fd: Permission denied
find: /proc/1384/fd: Permission denied
find: /proc/1385/task/1385/fd: Permission denied
find: /proc/1385/fd: Permission denied
find: /proc/2427/task/2427/fd: Permission denied
find: /proc/2427/fd: Permission denied
find: /proc/2848/task/2848/fd: Permission denied
find: /proc/2848/fd: Permission denied
find: /proc/2853/task/2853/fd: Permission denied
find: /proc/2853/fd: Permission denied
find: /proc/3122/task/3122/fd: Permission denied
find: /proc/3122/fd: Permission denied
find: /proc/3138/task/3138/fd: Permission denied
find: /proc/3138/fd: Permission denied
find: /proc/3139/task/3139/fd: Permission denied
find: /proc/3139/fd: Permission denied
find: /proc/3500/task/3500/fd: Permission denied
find: /proc/3500/fd: Permission denied
find: /proc/4591/task/4591/fd: Permission denied
find: /proc/4591/fd: Permission denied
find: /proc/4597/task/4597/fd: Permission denied
find: /proc/4597/fd: Permission denied
find: /proc/4754/task/4754/fd: Permission denied
find: /proc/4754/fd: Permission denied
find: /proc/4757/task/4757/fd: Permission denied
find: /proc/4757/fd: Permission denied
find: /proc/4760/task/4760/fd: Permission denied
find: /proc/4760/fd: Permission denied
find: /proc/4763/task/4763/fd: Permission denied
find: /proc/4763/fd: Permission denied
find: /proc/5079/task/5079/fd: Permission denied
find: /proc/5079/fd: Permission denied
find: /proc/5088/task/5088/fd: Permission denied
find: /proc/5088/fd: Permission denied
find: /proc/5107/task/5107/fd: Permission denied
find: /proc/5107/fd: Permission denied
find: /proc/6260/task/6260/fd: Permission denied
find: /proc/6260/fd: Permission denied
find: /proc/6267/task/6267/fd: Permission denied
find: /proc/6267/fd: Permission denied
find: /proc/6479/task/6479/fd: Permission denied
find: /proc/6479/fd: Permission denied
find: /proc/6511/task/6511/fd: Permission denied
find: /proc/6511/task/6512/fd: Permission denied
find: /proc/6511/task/6513/fd: Permission denied
find: /proc/6511/task/6514/fd: Permission denied
find: /proc/6511/task/6515/fd: Permission denied
find: /proc/6511/task/6516/fd: Permission denied
find: /proc/6511/task/6517/fd: Permission denied
find: /proc/6511/task/7288/fd: Permission denied
find: /proc/6511/task/7290/fd: Permission denied
find: /proc/6511/fd: Permission denied
find: /proc/6537/task/6537/fd: Permission denied
find: /proc/6537/fd: Permission denied
find: /proc/6588/task/6588/fd: Permission denied
find: /proc/6588/fd: Permission denied
find: /proc/6611/task/6611/fd: Permission denied
find: /proc/6611/fd: Permission denied
find: /proc/6613/task/6613/fd: Permission denied
find: /proc/6613/fd: Permission denied
find: /proc/6614/task/6614/fd: Permission denied
find: /proc/6614/fd: Permission denied
find: /proc/6624/task/6624/fd: Permission denied
find: /proc/6624/fd: Permission denied
find: /proc/6626/task/6626/fd: Permission denied
find: /proc/6626/fd: Permission denied
find: /proc/6679/task/6679/fd: Permission denied
find: /proc/6679/fd: Permission denied
find: /proc/6682/task/6682/fd: Permission denied
find: /proc/6682/fd: Permission denied
find: /proc/6812/task/6812/fd: Permission denied
find: /proc/6812/fd: Permission denied
find: /proc/6835/task/6835/fd: Permission denied
find: /proc/6835/fd: Permission denied
find: /proc/6836/task/6836/fd: Permission denied
find: /proc/6836/fd: Permission denied
find: /proc/6837/task/6837/fd: Permission denied
find: /proc/6837/fd: Permission denied
find: /proc/6843/task/6843/fd: Permission denied
find: /proc/6843/fd: Permission denied
find: /proc/6844/task/6844/fd: Permission denied
find: /proc/6844/fd: Permission denied
find: /proc/6845/task/6845/fd: Permission denied
find: /proc/6845/fd: Permission denied
find: /proc/6899/task/6899/fd: Permission denied
find: /proc/6899/fd: Permission denied
find: /proc/6906/task/6906/fd: Permission denied
find: /proc/6906/fd: Permission denied
find: /proc/6912/task/6912/fd: Permission denied
find: /proc/6912/fd: Permission denied
find: /proc/7171/task/7171/fd: Permission denied
find: /proc/7171/fd: Permission denied
find: /proc/7307/task/7307/fd: Permission denied
find: /proc/7307/fd: Permission denied
find: /proc/7308/task/7308/fd: Permission denied
find: /proc/7308/fd: Permission denied
find: /proc/7309/task/7309/fd: Permission denied
find: /proc/7309/fd: Permission denied
find: /proc/7341/task/7341/fd: Permission denied
find: /proc/7341/fd: Permission denied
find: /proc/7342/task/7342/fd: Permission denied
find: /proc/7342/fd: Permission denied
/sbin/isdnctrl
find: /root: Permission denied
find: /media/floppy: No medium found
|
|
|
|
|
09-28-2007, 04:33 PM
|
#7
|
|
Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Any of the mentioned binaries appear in there? I took a quick look and didn't see any but it's hard to tell with all those permission denieds. Why don't you run it as root to make it clearer?
Last edited by win32sux; 09-28-2007 at 04:36 PM.
|
|
|
|
|
09-29-2007, 05:00 PM
|
#8
|
|
Member
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331
Original Poster
Rep:
|
I did the command again as root like you said and I didn't see any mention of xscanimage, xsane, soffice, swriter, scalc, or simpress.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 10:56 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
