Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Sep 2012 10:21:29 +0200
From: Guido Berhoerster <guido+openwall.com@...hoerster.name>
To: oss-security@...ts.openwall.com
Subject: Vulnerabilities in Oki CUPS printer drivers


Vulnerabilities in Oki CUPS printer drivers

The following describes a security vulnerability in several Oki
CUPS drivers. While I'm not aware that these drivers are packaged
in any ditribution, they are free software (licensed under the GPL
v2 or later) and made available via the Oki website and their FTP
server so I hope this is on topic here.


Vulnerabilities in Oki CUPS printer drivers
-------------------------------------------

The CUPS filters distributed with several Oki CUPS printer drivers
for Unix/Linux create temporary files with predictable names and
uses them in an insecure way allowing arbitrary users to overwrite
or create files via symlink attack for which the unprivileged CUPS
user (usually lp) has the corresponding permissions. Furthermore,
this allows arbitrary users to send data to a printer.

"rastertookimonochrome" is a shell script that creates a temporary
file as follows:

    tmp_name="rastertookimonochrome"
    inFile="/tmp/${tmp_name}.$$"

    [...]

    ${CAT} - > ${inFile}

using only the current PID to make a unique filename which is
easily predictable and then truncates and overwrites the file
without any further safety checks. This may be exploited by a
malicious user by creating a symlink to a file in order to
overwrite or create a file as the unprivileged CUPS user.

Since the script also neither verifies the ownership of the
temporary file nor checks whether it successfully wrote to it, a
malicious user may also create correspondingly named file with
arbitrary data which then will be sent to the printer.

Similar vulnerabilities can be found in the "okijobaccounting"
script that is part of a number of other drivers.

At least the following drivers are affected:

ftp://ftp2.okidata.com/pub/drivers/linux/SFP/monochrome/desktop/B6300.tar
Timestamp: Jan 16  2011
Script: B6300/okijobaccounting

ftp://ftp2.okidata.com/pub/drivers/linux/SFP/monochrome/desktop/B6500.tar
Timestamp: Jan 16  2011)
Script: B6500/okijobaccounting

ftp://ftp2.okidata.com/pub/drivers/linux/SFP/monochrome/desktop/B700.tar
Timestamp: Jan 16  2011
Script: B700/okijobaccounting

ftp://ftp2.okidata.com/pub/drivers/linux/SFP/monochrome/desktop/B930.tar
Timestamp: Jan 16  2011
Script: B930/okijobaccounting

ftp://ftp2.okidata.com/pub/drivers/linux/SFP/monochrome/desktop/OK2200PCLv2.tar.gz
Timestamp: Mar  2  2011
Script: B2200/rastertookimonochrome

ftp://ftp2.okidata.com/pub/drivers/linux/SFP/monochrome/desktop/OK400PCLv3.tar.gz
Timestamp: Mar  2  2011
Script: B400/rastertookimonochrome

This issue was initially reported to the vendor on August 21st,
2012.


Possible Fixes
--------------

In the scripts I have examined it was not necessary at all to even
create a temporary file. The code in "rastertookimonochrome" e.g.
looks as follows:

----8<----

tmp_name="rastertookimonochrome"
inFile="/tmp/${tmp_name}.$$"

${CAT} - > ${inFile}

# ...

${ECHO} ${UEL}
${ECHO} ${OKIJOB_ACCT}
${ECHO} ${manual_feed}
${ECHO} ${PAPER}
${ECHO} ${RDYMSG}

# ...

${CAT} ${inFile} | ${RASTERTOHP} "${1}" "${2}" "${3}" "${4}" "${5}" 2>/dev/null

---->8----

The script can be restructured as follows:

----8<----


{
    ${ECHO} ${UEL}
    ${ECHO} ${OKIJOB_ACCT}
    ${ECHO} ${manual_feed}
    ${ECHO} ${PAPER}
    ${ECHO} ${RDYMSG}

    # ...

    ${CAT} -
} | ${RASTERTOHP} "${1}" "${2}" "${3}" "${4}" "${5}" 2>/dev/null

This obviates the need to create a temporary file altogether and
thus also bypasses the security problems associated with it.

Moreover, in case a temporary file is necessary, CUPS exports the
environment variable TMPDIR before executing the filter which
points to a directory for temporary files which has stricter
permissions than /tmp, e.g. on my openSUSE system it is set to

drwxrwx--T 2 root lp 4096 25. Apr 10:52 /var/spool/cups/tmp

Since this is only writable by the CUPS users' group (and root)
symlink attacks and the injection of data become impossible as
long as the temporary file is created with sufficiently strict
permissions. This is documented at
http://www.cups.org/documentation.php/api-filter.html#TEMPFILES

-- 
Guido Berhoerster

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.