Major Security Hole In Samsung Linux Drivers

GerbilSoft writes with news of a major security hole in Samsung's proprietary Linux printer drivers. From the Ubuntu Forums: "Just to inform you about a recent post on the French Ubuntu forum about Samsung drivers (sorry, in French). [Google translation here.] It appears that Samsung unified drivers change rights on some parts of the system: After installing the drivers, applications may launch using root rights, without asking any password. What is more, you may be able to kill your system, by deleting system components, generally modifiable only by using sudo." GerbilSoft adds: "Among the programs that it sets as setuid-root are OpenOffice, xsane, and xscanimage."

Re:How come an app can do that?

[Xiph]

It's a driver installation, so the ordinary user doesn't/can't do it.

However, it's a proprietary driver, that you need to install to use the printer, so if that's the printer you have people install it, expecting it not to create security holes.
This might have been discovered earlier, if it weren't for the closedness of the source.

My guess is that it happened due to a coder writing the driver so, it requires root to use it.
Then trying to guess which programs requires the driver, then setting those to run as root. Silly, but easy to do.

Sounds like it was done without peer review, so i guess they only have one guy writing their linux drivers..
So why is it proprietary? well some places printers are encouraged(required) by law (enforcement) to leave secret and invisible watermarks.
If it isn't done in the printer, it's done in the driver, if it's open, it'll be removed.

Re:suid is evil!

[nagora]

Once more boys and girls, say it with me now, SUID IS EVIL! :-)

SUID does not have to set id to root; my printing scripts are all setuid to "lp"; my mail servers are suid to "mail". This is a good thing.

TWW

It come out...

[dmayle]

For those who can't read French, the Ubuntu forum is just a posting of a link to another forum where it was noticed. The posting, along with the interesting source can be found at http://linuxfr.org/forums/15/22562.html The interesting parts are:

wrap_setuid_third_party_application xsane
wrap_setuid_third_party_application xscanimage

wrap_setuid_ooo_application soffice
wrap_setuid_ooo_application swriter
wrap_setuid_ooo_application simpress
wrap_setuid_ooo_application scalc

The script copies the affected application's executable to one with a .bin extension, and replaces it with an suid wrapper script. This is undoable, but god, what a mess!

Okay, I couldn't overcome the lameness filter, go to the source to see for yourselves...

Re:Flawed Design...

[morgan_greywolf]

I'm going to reply to your post backwards, but you'll see why.

Unix security if just flawed and the flaw is called "root".

There is a fix for this flaw. It's called 'groups.'

Only when the little bugger of an hotplug-manager changes the user id for the scanner device to the logged on user. Which still only gives one user access to the scanner. Have my Wife remote logged in and only one of us can use the scanner.

This is distro-dependant. On Ubuntu, scanner access is controlled by groups. Want a user to be able to scan? You add them to the scanner group. You want someone to have access to burn CDs/DVDs? You add them to the cdrom group. If the scanner device is owned by any user, and owned by the group scanner, the permissions on the scanning device are set to group read/write, and both you and your wife are in the scanner group, then you both have access to the scanner. Try it yourself. Problem solved.

BTW--with SANE, the best way to have two people access the same scanner is via the saned network sharing mechanism, which allows other systems using xsane (or other sane front-end) to access the scanner over the network without having to remote login.

Blown out of proportion?

[Jerry]

Here is a posting to the Ubuntu forum that is SEVEN MONTHS old and refers to postings A YEAR OLD!

Printer drivers need to be installed with world execute permissions so that all users on the system can access the printer. The Samsung hacker's method of doing this, converting them to 4755 bin files and setting the original name as a link to the bin files, is one way of doing that -- IF his "unwrap" function had worked properly. That's the bug. Listed in the posting are files whose permissions need to be modified after the driver is installed.

#1
Old January 18th, 2007
tweedledee tweedledee is online now
Way Too Much Ubuntu

Join Date: Dec 2006
Beans: 252
Ubuntu 7.04 Feisty Fawn User
HOWTO Install Samsung Unified Printer Driver
I had a fair amount of trouble initially getting my Samsung printer installed completely, but I finally have it all done, so here's a mini-guide for those who might benefit.

NOTE: for the last few months, the Samsung website has been utilizing some buggy Flash code that will crash many (all?) Linux browsers that have Flash installed - hopefully they will fix this soon, but they don't seem in any hurry. Either use a secondary browser that does not have the Flash plugin installed (e.g., if you mainly use Firefox, you could use Epiphany (Gnome) or Konqueror (KDE)) or download the drivers via another computer/OS. Alternatively, again if you use Firefox, you can install the "flashblock" extension, usually this prevents the crash (and is useful for many of the other websites that have been appearing recently causing the same behavior, although it's not 100% successful).

EDIT: The newest (as of this writing) driver from Samsung (20070324...) appears to solve some of the mfp/xsane issues, but also appears to missing a couple of library files. See post #23 for details. Also see posts #27-29 for details on ...plc errors and solutions.
Post #35 suggets the 200704.... drivers have resolved this issue, so this may now be irrelevant.

First, a disclaimer: much of the information I used came from this thread: http://www.ubuntuforums.org/showthread.php?t=28774 7. Another good source of information is http://www.linuxprinting.org./ Finally, I did this using the 20060719... and 20070125.... drivers; newer (or older) drivers may require some tweaks. Also, especially if you have a monochrome, non-duplexing, non-multifunction printer, you very well may have success with a generic post-script printer as a driver, without having to install the Samsung drivers. Also note that for my printer, pretty much all functions except duplex control worked even if I skipped steps 2-4 below (i.e., don't install the driver, only the relevant .ppd file) - which also has the advantage of not needing to fix xsane (additional step 2).

This works for my CLP-550; similar steps seem to work for other Samsung printers not supported out-of-the-box with the drivers available in a fresh Ubuntu install. This is NOT a multi-function, multi-functions may require additional steps (but are discussed in other threads, a quick search should bring them up). Posts below from other users have reported sucess (sometimes with a couple of small modifications) with: ML-2510 (# 5, 14, 16, 26), ML-2510/XEU (# 18 ), ML-2571n (# 12), SCX-4200 (# 10), SCX-4521F (# 11), CLP-300 (# 35).

1. Download and untar the driver from Samsung's website; for this example I will assume you untar it to ~.
2. Open a terminal and navigate to ~/cdroot/Linux. I had to "chmod +w install.sh" to give write permissions, but that may be unusual. Edit install.sh as follows:
a: change the first line from "#! /bin/sh" to "#! /bin/bash" (without the quotes)
b (possibly not needed): change the line that includes "guiinstall.bin" (search for it, it's around line 1277) to eliminate the ".bin" (i.e