Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
09-26-2007, 03:21 PM
#1
Member
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331
Rep:
Samsung driver security hole
I read about this on Slashdot:
http://it.slashdot.org/article.pl?sid=07/07/18/0319203
I was wondering if the problem is with the installer or the driver itself?
I had tried the driver from Samsung at first using the provided disk but I didn't like the way it ran. It had itself as lp and I wanted it to be in my list of drivers in CUPS. I also had noticed that the Samsung driver was owned by lp and the other printer drivers I have are owned by root. So I uninstalled the Samsung driver and found a way to manually install the driver using the instructions on linuxprinting.org (
http://www.linuxprinting.org/show_pr...amsung-CLP-510 ) and I was able to add and manage my printer using CUPS and it now shows up in the list of printers as "SamsungCLP510" rather than "lp".
Do I still have to worry about this possible security hole?
09-26-2007, 05:08 PM
#2
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
According to the
CVE candidate , it's the installer.
Quote:
The wrap_setuid_third_party_application function in the installation script for the Samsung SCX-4200 Driver 2.00.95 adds setuid permissions to third party applications such as xsane and xscanimage, which allows local users to gain privileges.
So your next step after uninstall would be to revert the SUID changes.
You can see which file's perms it altered by looking at the installer script.
Last edited by win32sux; 09-26-2007 at 05:26 PM .
09-26-2007, 05:43 PM
#3
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
I just downloaded the driver and took a quick look at the installer.
Found these commented lines:
Code:
# wrap_setuid_third_party_application xsane
# wrap_setuid_third_party_application xscanimage
# wrap_setuid_ooo_application soffice
# wrap_setuid_ooo_application swriter
# wrap_setuid_ooo_application simpress
# wrap_setuid_ooo_application scalc
This is version 2.00.97, since I couldn't find 2.00.95. Perhaps they addressed the issue in 2.00.97 by commenting-out these lines. Can you check your 2.00.95 to see if they are uncommented? If so, then these are probably the binaries you want to look at when doing your reversion. BTW, it's possible that the uninstaller reverts the changes on it's own, I didn't look at that part.
Last edited by win32sux; 09-26-2007 at 06:04 PM .
09-27-2007, 10:00 AM
#4
Member
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331
Original Poster
Rep:
I looked at the installer (the version I have is: 20070424151034937_UnifiedLinuxDriver) and this is what I saw:
Code:
wrap_setuid_third_party_application() {
if echo "$1" | grep -q "/" ; then
APP_NAME=$1
else
APP_NAME=`which $1 2> /dev/null`
fi
NEW_NAME=${APP_NAME}.bin
if test -n "$APP_NAME" ; then
if ! test -f "$NEW_NAME" && ! test -d "$NEW_NAME"; then
mv "$APP_NAME" "$NEW_NAME"
cp -af /opt/${VENDOR}/mfp/bin/suwrap "$APP_NAME"
chown root:root "$APP_NAME"
chmod 4755 "$APP_NAME"
fi
fi
}
wrap_setuid_ooo_application() {
WRAPPING_BIN=`ls /usr/lib*/*/program/$1.bin /opt/*/program/$1.bin 2> /dev/null | head -1`
if test -n "$WRAPPING_BIN" ; then
${2}wrap_setuid_third_party_application $WRAPPING_BIN
fi
}
symlink_sane_backend_and_mfpport_libraries() {
( cd /usr/lib$1 && \
rm -f libmfp.so libmfp.so.1 libmfpdetect.so libmfpdetect.so.1 ; \
ln -s -f libmfp.so.1.0.1 libmfp.so.1 ; true ln -s -f libmfpdetect.so.1.0.1 libmfpdetect.so.1 ; \
ln -s -f libmfp.so.1 libmfp.so ; true ln -s -f libmfpdetect.so.1 libmfpdetect.so )
( cd /usr/lib$1/sane && \
rm -f libsane-smfp.so libsane-smfp.so.1 ; \
ln -s -f libsane-smfp.so.1.0.1 libsane-smfp.so.1 ; \
ln -s -f libsane-smfp.so.1 libsane-smfp.so )
And:
Code:
wrap_setuid_third_party_application xsane
wrap_setuid_third_party_application xscanimage
wrap_setuid_ooo_application soffice
wrap_setuid_ooo_application swriter
wrap_setuid_ooo_application simpress
wrap_setuid_ooo_application scalc
In the uninstall section, I found:
Code:
unwrap_setuid_third_party_application() {
if echo "$1" | grep -q "/" ; then
APP_NAME=$1
else
APP_NAME=`which $1 2> /dev/null`
fi
NEW_NAME=${APP_NAME}.bin
if test -n "$APP_NAME" ; then
if test -f "$NEW_NAME" && ! test -d "$NEW_NAME"; then
rm -f "$APP_NAME"
mv "$NEW_NAME" "$APP_NAME"
fi
fi
}
I did not use the installer script but installed the driver manually.
I looked at xsane and xscanimage and saw that they are owned by root and their permissions are set to what the majority of the other apps are set to: -rwxr-xr-x. I guess I don't have to worry then?
Last edited by gymnart; 09-27-2007 at 10:15 AM .
Reason: add more
09-27-2007, 06:48 PM
#5
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
Yeah, the version I got was 20070720152943906 (2.00.97).
Maybe post the output of this command so we can see which of your binaries are SUID:
Code:
find / -type f -perm +4000
09-28-2007, 11:47 AM
#6
Member
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331
Original Poster
Rep:
So, this is the result of that command (carried out as myself not as root):
Code:
/bin/su
/bin/ping
/bin/eject
/bin/mount
/bin/ping6
/bin/umount
find: /etc/ssl/private: Permission denied
find: /etc/cups/ssl: Permission denied
find: /etc/cups/certs: Permission denied
find: /etc/news: Permission denied
find: /etc/skel/Documents: Permission denied
find: /etc/uucp: Permission denied
find: /etc/sysconfig/network/providers: Permission denied
find: /etc/autoinstall: Permission denied
/opt/kde3/bin/fileshareset
/opt/kde3/bin/artswrapper
/opt/kde3/bin/kcheckpass
/opt/kde3/bin/kpac_dhcp_helper
/opt/gnome/lib/libgnomesu/gnomesu-pam-backend
/opt/gnome/sbin/change-passwd
/opt/gnome/sbin/zapping_setup_fb
find: /tmp/YaST2-07914-9qQqtb: Permission denied
find: /tmp/siga: Permission denied
find: /tmp/YaST2-14422-Iw1VIb: Permission denied
find: /tmp/YaST2-07914-UxnsTG: Permission denied
find: /tmp/ksocket-root: Permission denied
find: /tmp/gconfd-root: Permission denied
find: /tmp/.wine-0: Permission denied
find: /tmp/kde-root: Permission denied
find: /tmp/orbit-root: Permission denied
find: /tmp/sax2-7014: Permission denied
find: /tmp/YaST2-07504-SNp6Jo: Permission denied
find: /tmp/YaST2-07460-azs8eV: Permission denied
find: /tmp/YaST2-06306-b4krS4: Permission denied
find: /tmp/YaST2-06463-r2GeLO: Permission denied
find: /tmp/YaST2-07049-ahmfoI: Permission denied
find: /tmp/YaST2-13866-A1wQns: Permission denied
find: /var/adm/backup: Permission denied
find: /var/adm/autoinstall: Permission denied
find: /var/lib/nfs/sm: Permission denied
find: /var/lib/nfs/sm.bak: Permission denied
find: /var/lib/xdm/authdir: Permission denied
find: /var/lib/acpi: Permission denied
find: /var/lib/pam_devperm: Permission denied
find: /var/lib/YaST2/backup_boot_sectors: Permission denied
find: /var/lib/nvidia: Permission denied
find: /var/lib/smpppd: Permission denied
find: /var/log/news: Permission denied
find: /var/log/YaST2: Permission denied
find: /var/log/apparmor: Permission denied
find: /var/run/sudo: Permission denied
find: /var/run/agentx: Permission denied
find: /var/run/xdmctl/dmctl: Permission denied
find: /var/tmp/kdecache-root: Permission denied
find: /var/spool/cron: Permission denied
find: /var/spool/cups: Permission denied
find: /var/spool/clientmqueue: Permission denied
find: /var/spool/amavis: Permission denied
find: /var/spool/atjobs: Permission denied
find: /var/spool/atspool: Permission denied
find: /var/spool/postfix/hold: Permission denied
find: /var/spool/postfix/corrupt: Permission denied
find: /var/spool/postfix/defer: Permission denied
find: /var/spool/postfix/flush: Permission denied
find: /var/spool/postfix/saved: Permission denied
find: /var/spool/postfix/trace: Permission denied
find: /var/spool/postfix/maildrop: Permission denied
find: /var/spool/postfix/active: Permission denied
find: /var/spool/postfix/bounce: Permission denied
find: /var/spool/postfix/deferred: Permission denied
find: /var/spool/postfix/public: Permission denied
find: /var/spool/postfix/incoming: Permission denied
find: /var/spool/postfix/private: Permission denied
/usr/bin/at
/usr/bin/gpg
/usr/bin/man
/usr/bin/rcp
/usr/bin/rsh
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/lppasswd
/usr/bin/vboxbeep
/usr/bin/crontab
/usr/bin/chage
/usr/bin/mandb
/usr/bin/ncplogin
/usr/bin/ncpmount
/usr/bin/cdrdao
/usr/bin/expiry
/usr/bin/ncpmap
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/rlogin
/usr/bin/nwsfind
/usr/bin/ncpumount
/usr/lib/mc/cons.saver
find: /usr/lib/man-db: Permission denied
/usr/lib/pt_chown
/usr/sbin/mgnokiidev
/usr/sbin/pppoe-wrapper
/usr/X11R6/bin/Xorg
/usr/X11R6/bin/v4l-conf
find: /usr/share/doc/packages/supertuxkart: Permission denied
find: /usr/share/YaST2/data/support: Permission denied
find: /proc/tty/driver: Permission denied
find: /proc/1/task/1/fd: Permission denied
find: /proc/1/fd: Permission denied
find: /proc/2/task/2/fd: Permission denied
find: /proc/2/fd: Permission denied
find: /proc/3/task/3/fd: Permission denied
find: /proc/3/fd: Permission denied
find: /proc/4/task/4/fd: Permission denied
find: /proc/4/fd: Permission denied
find: /proc/5/task/5/fd: Permission denied
find: /proc/5/fd: Permission denied
find: /proc/6/task/6/fd: Permission denied
find: /proc/6/fd: Permission denied
find: /proc/7/task/7/fd: Permission denied
find: /proc/7/fd: Permission denied
find: /proc/8/task/8/fd: Permission denied
find: /proc/8/fd: Permission denied
find: /proc/9/task/9/fd: Permission denied
find: /proc/9/fd: Permission denied
find: /proc/16/task/16/fd: Permission denied
find: /proc/16/fd: Permission denied
find: /proc/473/task/473/fd: Permission denied
find: /proc/473/fd: Permission denied
find: /proc/476/task/476/fd: Permission denied
find: /proc/476/fd: Permission denied
find: /proc/531/task/531/fd: Permission denied
find: /proc/531/fd: Permission denied
find: /proc/532/task/532/fd: Permission denied
find: /proc/532/fd: Permission denied
find: /proc/533/task/533/fd: Permission denied
find: /proc/533/fd: Permission denied
find: /proc/534/task/534/fd: Permission denied
find: /proc/534/fd: Permission denied
find: /proc/535/task/535/fd: Permission denied
find: /proc/535/fd: Permission denied
find: /proc/1125/task/1125/fd: Permission denied
find: /proc/1125/fd: Permission denied
find: /proc/1181/task/1181/fd: Permission denied
find: /proc/1181/fd: Permission denied
find: /proc/1304/task/1304/fd: Permission denied
find: /proc/1304/fd: Permission denied
find: /proc/1305/task/1305/fd: Permission denied
find: /proc/1305/fd: Permission denied
find: /proc/1326/task/1326/fd: Permission denied
find: /proc/1326/fd: Permission denied
find: /proc/1329/task/1329/fd: Permission denied
find: /proc/1329/fd: Permission denied
find: /proc/1384/task/1384/fd: Permission denied
find: /proc/1384/fd: Permission denied
find: /proc/1385/task/1385/fd: Permission denied
find: /proc/1385/fd: Permission denied
find: /proc/2427/task/2427/fd: Permission denied
find: /proc/2427/fd: Permission denied
find: /proc/2848/task/2848/fd: Permission denied
find: /proc/2848/fd: Permission denied
find: /proc/2853/task/2853/fd: Permission denied
find: /proc/2853/fd: Permission denied
find: /proc/3122/task/3122/fd: Permission denied
find: /proc/3122/fd: Permission denied
find: /proc/3138/task/3138/fd: Permission denied
find: /proc/3138/fd: Permission denied
find: /proc/3139/task/3139/fd: Permission denied
find: /proc/3139/fd: Permission denied
find: /proc/3500/task/3500/fd: Permission denied
find: /proc/3500/fd: Permission denied
find: /proc/4591/task/4591/fd: Permission denied
find: /proc/4591/fd: Permission denied
find: /proc/4597/task/4597/fd: Permission denied
find: /proc/4597/fd: Permission denied
find: /proc/4754/task/4754/fd: Permission denied
find: /proc/4754/fd: Permission denied
find: /proc/4757/task/4757/fd: Permission denied
find: /proc/4757/fd: Permission denied
find: /proc/4760/task/4760/fd: Permission denied
find: /proc/4760/fd: Permission denied
find: /proc/4763/task/4763/fd: Permission denied
find: /proc/4763/fd: Permission denied
find: /proc/5079/task/5079/fd: Permission denied
find: /proc/5079/fd: Permission denied
find: /proc/5088/task/5088/fd: Permission denied
find: /proc/5088/fd: Permission denied
find: /proc/5107/task/5107/fd: Permission denied
find: /proc/5107/fd: Permission denied
find: /proc/6260/task/6260/fd: Permission denied
find: /proc/6260/fd: Permission denied
find: /proc/6267/task/6267/fd: Permission denied
find: /proc/6267/fd: Permission denied
find: /proc/6479/task/6479/fd: Permission denied
find: /proc/6479/fd: Permission denied
find: /proc/6511/task/6511/fd: Permission denied
find: /proc/6511/task/6512/fd: Permission denied
find: /proc/6511/task/6513/fd: Permission denied
find: /proc/6511/task/6514/fd: Permission denied
find: /proc/6511/task/6515/fd: Permission denied
find: /proc/6511/task/6516/fd: Permission denied
find: /proc/6511/task/6517/fd: Permission denied
find: /proc/6511/task/7288/fd: Permission denied
find: /proc/6511/task/7290/fd: Permission denied
find: /proc/6511/fd: Permission denied
find: /proc/6537/task/6537/fd: Permission denied
find: /proc/6537/fd: Permission denied
find: /proc/6588/task/6588/fd: Permission denied
find: /proc/6588/fd: Permission denied
find: /proc/6611/task/6611/fd: Permission denied
find: /proc/6611/fd: Permission denied
find: /proc/6613/task/6613/fd: Permission denied
find: /proc/6613/fd: Permission denied
find: /proc/6614/task/6614/fd: Permission denied
find: /proc/6614/fd: Permission denied
find: /proc/6624/task/6624/fd: Permission denied
find: /proc/6624/fd: Permission denied
find: /proc/6626/task/6626/fd: Permission denied
find: /proc/6626/fd: Permission denied
find: /proc/6679/task/6679/fd: Permission denied
find: /proc/6679/fd: Permission denied
find: /proc/6682/task/6682/fd: Permission denied
find: /proc/6682/fd: Permission denied
find: /proc/6812/task/6812/fd: Permission denied
find: /proc/6812/fd: Permission denied
find: /proc/6835/task/6835/fd: Permission denied
find: /proc/6835/fd: Permission denied
find: /proc/6836/task/6836/fd: Permission denied
find: /proc/6836/fd: Permission denied
find: /proc/6837/task/6837/fd: Permission denied
find: /proc/6837/fd: Permission denied
find: /proc/6843/task/6843/fd: Permission denied
find: /proc/6843/fd: Permission denied
find: /proc/6844/task/6844/fd: Permission denied
find: /proc/6844/fd: Permission denied
find: /proc/6845/task/6845/fd: Permission denied
find: /proc/6845/fd: Permission denied
find: /proc/6899/task/6899/fd: Permission denied
find: /proc/6899/fd: Permission denied
find: /proc/6906/task/6906/fd: Permission denied
find: /proc/6906/fd: Permission denied
find: /proc/6912/task/6912/fd: Permission denied
find: /proc/6912/fd: Permission denied
find: /proc/7171/task/7171/fd: Permission denied
find: /proc/7171/fd: Permission denied
find: /proc/7307/task/7307/fd: Permission denied
find: /proc/7307/fd: Permission denied
find: /proc/7308/task/7308/fd: Permission denied
find: /proc/7308/fd: Permission denied
find: /proc/7309/task/7309/fd: Permission denied
find: /proc/7309/fd: Permission denied
find: /proc/7341/task/7341/fd: Permission denied
find: /proc/7341/fd: Permission denied
find: /proc/7342/task/7342/fd: Permission denied
find: /proc/7342/fd: Permission denied
/sbin/isdnctrl
find: /root: Permission denied
find: /media/floppy: No medium found
09-28-2007, 04:33 PM
#7
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
Any of the mentioned binaries appear in there? I took a quick look and didn't see any but it's hard to tell with all those permission denieds. Why don't you run it as root to make it clearer?
Last edited by win32sux; 09-28-2007 at 04:36 PM .
09-29-2007, 05:00 PM
#8
Member
Registered: Oct 2005
Distribution: SUSE 11.4
Posts: 331
Original Poster
Rep:
I did the command again as root like you said and I didn't see any mention of xscanimage, xsane, soffice, swriter, scalc, or simpress.
All times are GMT -5. The time now is 09:53 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News