Slashdot Mirror
Major Security Hole In Samsung Linux Drivers
GerbilSoft writes with news of a major security hole in Samsung's proprietary Linux printer drivers. From the Ubuntu Forums: "Just to inform you about a recent post on the French Ubuntu forum about Samsung drivers (sorry, in French). [Google translation here.] It appears that Samsung unified drivers change rights on some parts of the system: After installing the drivers, applications may launch using root rights, without asking any password. What is more, you may be able to kill your system, by deleting system components, generally modifiable only by using sudo." GerbilSoft adds: "Among the programs that it sets as setuid-root are OpenOffice, xsane, and xscanimage."
This sounds like a cheap hack. There is no need for these things to be setuid root, not on the program level. Sounds like someone is used to programming Windows drivers...
I'm tempted to infer something sinister about this, but then I remember the old adage "never attribute to malice what can be explained by stupidity." It keeps your blood pressure nice and low.
~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
If I'm not mistaken, this is how Windows got as bad as it is.
This particular incident cannot be protested enough. If this sort of thing becomes common, End-user Linux will become as corrupted as Windows.
Nothing but the programs that absolutely have to should be run as root.
Is there an English (not some auto-translated forum) site covering this? I think its talking about this suid run printer driver?
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
A big "Thank You!" to Samsung for demonstrating that propriatory code is inherently less secure than open source, if only because you can (could) get away with insecure code.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
What were they trying to do that made them think OpenOffice needs to be setuid:root?
Windows ME(tm)(r) Security(tm)(r)(c)(*) now available on Linux, brought to you by Samsung(tm)(r)
I find it very disappointing anyway that anything you install on ubuntu is installed as root (at least that is the default way of doing it). Wouldn't it be übercool to be able to install applications as the local user, and drivers maybe as the "driver" user? I still think The Zero Install system is a nice and secure way to install software, and maybe one day we can extend this to install drivers as well, so that root access will almost never be required (a bit like Plan 9, or what SE Linux is trying to do).
I just don't trust anything that bleeds for five days and doesn't die.
It's a driver installation, so the ordinary user doesn't/can't do it.
However, it's a proprietary driver, that you need to install to use the printer, so if that's the printer you have people install it, expecting it not to create security holes.
This might have been discovered earlier, if it weren't for the closedness of the source.
My guess is that it happened due to a coder writing the driver so, it requires root to use it.
Then trying to guess which programs requires the driver, then setting those to run as root. Silly, but easy to do.
Sounds like it was done without peer review, so i guess they only have one guy writing their linux drivers..
So why is it proprietary? well some places printers are encouraged(required) by law (enforcement) to leave secret and invisible watermarks.
If it isn't done in the printer, it's done in the driver, if it's open, it'll be removed.
Blah blah sig blah blah blah irony blah blah
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
An app running as root can do anything it wants - and installers normally do run as root. The same problem exists on every OS: the administrator and the programs he runs can do retarded things.
The question I want to ask is why there is a driver developer working for Samsung who is able to understand the function of the setuid bit but not the security implications of using it. It seems that there is a very special type of stupidity involved here, along with some extremely thoughtless design. Samsung is taking a big risk employing morons like that.
If the guy can't understand the security implications of the setuid bit, which are well documented and not that complex, he should not be writing software.
This might have been discovered earlier, if it weren't for the closedness of the source.
/bin, /usr, etc. and notifies you immediately if permissions have changed for anything. I know such a package was available for RedHat when I was using that. That could not have detected this sooner?
Really? It could not have been detected by noticing that OpenOffice is not SetUID? I believe there is even a package for linux that monitors binaries in
Stop with your lame "thousand eyes" theory. Apparently those thousand eyes couldn't see a permissions change on their own systems.
For those who can't read French, the Ubuntu forum is just a posting of a link to another forum where it was noticed. The posting, along with the interesting source can be found at http://linuxfr.org/forums/15/22562.html The interesting parts are:
The script copies the affected application's executable to one with a .bin extension, and replaces it with an suid wrapper script. This is undoable, but god, what a mess!
Okay, I couldn't overcome the lameness filter, go to the source to see for yourselves...
Stop with your lame "thousand eyes" theory. Apparently those thousand eyes couldn't see a permissions change on their own systems.
But it's been seen. Is that then proof of the thousand eyes theory?
(you fucking idiot)
no user is going to be able to install such a dangerous "driver" without root access in the first place-- anyone can build a program, intentionally or accidently, that comprimises a system when ran/installed as root
Yes, but when you install a driver, you normally assume that it's not going to make your system insecure. Why should it? Only a very badly designed driver would deliberately break your system security.
Sometimes drivers do accidentally introduce security problems. The Nvidia drivers for X have done this in the past, for example. In those cases, it's not bad design, it's an oversight of some sort, like a buffer overflow.
But this is not an oversight. A deliberate design decision has been made to break the Linux security model. A very special type of stupidity is involved: one that includes an understanding of the effects of the setuid bit, but excludes an understanding of the security implications.
Samsung should investigate this fully - who knows what other retarded decisions have been made by these guys?
wrap_setuid_third_party_application xscanimage
wrap_setuid_ooo_application soffice
wrap_setuid_ooo_application swriter
wrap_setuid_ooo_application simpress
wrap_setuid_ooo_application scalc
And the content of the function for suid-making functions etc. So I have to disagree with you there.
I also agree with you though that linux distros should be automatically building in some sort of tripwire type setup to protect important system segments from scripts that are like this.
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
Only when the little bugger of an hotplug-manager changes the user id for the scanner device to the logged on user. Which still only gives one user access to the scanner. Have my Wife remote logged in and only one of us can use the scanner.
Unix security if just flawed and the flaw is called "root".
Martin
In all seriousness, I would like to know the business case for not open sourcing these drivers. It seems to me they have everything to gain and nothing to lose. I can't imagine there's any significant technological secrets contained in the drivers themselves. The value they are selling is in the physical printers, and the drivers are just there to make the printers useful.
Why not open the drivers to a free process that will almost certainly improve them, and at the same time improve the company's image in the Linux community?
That's quite the misinterpretation of the name Unix. It really was just a joke: "Unix is one of whatever Multics is many of". It doesn't have anything to do with whether the system is multi-user or not. Unix is most definitely a multi-user system. The old style permissions are definitely becoming a problem, but there are solutions such as ACLs, SELinux and beyond. They have just yet to be used in any great degree on the desktop Linuxes. Perhaps incidents like this will push Linux distributors to start using these technologies. BTW, for your little problem, just make sure you are in the disk group and everything will work. That's the whole point of why it is set that way...so that only users who are in that group can access the device (or root), and users outside of the group can't. Admittedly, it probably shouldn't be disk. That's a udev problem, but that can be fixed in a config file, which sets permissions and ownership for device nodes.
After I installed the unified drivers for my Samsung printer/scanner, I had the unwelcome surprise of discovering that OpenOffice now opens as root, and not only that but did not ask for my password!
As a result, all documents I created were saved in the
I attempted to re-install
The beast (the problem) is occuring under Ubuntu 7.04 under Gnome.
Thank You. Bonjour,
Après avoir installé les drivers unifiés de Samsung pour gérer mon imprimante scanner, j'ai eu la très mauvaise surprise de constater que la suite openoffice s'ouvrait en root et ceci sans que me soit demandé le moindre mot de passe !!!
Du coup, les documents que je crée s'enregistrent dans le dossier
A tout hasard j'ai réinitialisé le
La bête est sous Ubuntu 7.04 et gnome. En attendant vote aide, je cherche et tente de résister au désespoir le plus sombre !
Merci
The proprietary driver fiasco has gone on far too long. It's time to stand up and say Enough Already!
Let's all get writing to our elected representatives and demand that hardware manufacturers be obliged, by law, to provide detailed specifications which would enable a sufficiently-competent programmer to write a driver program enabling any of the features of their product to be used on any sufficiently-capable computer.
Failure to do this places the rightful owners of hardware at a disadvantage. They can only use it in conjunction with certain Operating Systems. They are restricted to using it as the manufacturer thought fit. If a driver has a programming flaw, the user's computer can be compromised. If the Operating System is updated in such a way as the driver no longer works, the user is at the mercy of the manufacturer to release a new version of the driver -- or else the hardware is unusable (or at best, usable only through a bodge involving multi-booting: at the boot prompt, type linux to be able to use the Internet, or linuxOLD to be able to print).
It's unfortunate, but this measure really needs to be brought in through legislation, because manufacturers will not do it voluntarily. There are two reasons: (1) they are paranoid of competitors {despite the fact that their competitors are busy reverse-engineering their products in secret while they reverse-engineer the competitors' products} and (2) they habitually lie through their back teeth in their advertising literature about the capabilities of their hardware, and such lies would be exposed with disclosure (e.g. a camera with a 2 megapixel image sensor, spitting out JPEG images interpolated up to 6 megapixels).
Je fume. Tu fumes. Nous fûmes!
I deal with this kind of crap in embedded Linux installs daily. Managers and marketoids want to do all sorts of insanely stupid things under the guise of "making it easy for the customer to configure the device within a maximum of 5 minutes with no technical knowledge", etc.
In the mean time the fallout from all the insane things that "need" to be done is gaping security holes all over the place and a bunch of manager types saying 'but it doesn't matter, nobody will ever want to hack us'.
For the record I used to work for a company which built Internet-accessible security products. Whenever there was a breach it was always my fault even though I told them that enabling a particular service to the greater world was risky and would require constant attention by a qualified Linux admin and also require a regular mandatory update schedule and code reviews to continue some level of security. They never wanted to do the regular updates or code reviews because it was so costly and updates inconvenience the customer (I'm sure less than a r00ted box, but explain that to marketoids).
Suffice to say I quit that job and am starting another with a company that actually cares about security over customer friendliness (and cares about their employees at least as much as their profit margin).
I drink to make other people interesting!
Printer drivers need to be installed with world execute permissions so that all users on the system can access the printer. The Samsung hacker's method of doing this, converting them to 4755 bin files and setting the original name as a link to the bin files, is one way of doing that -- IF his "unwrap" function had worked properly. That's the bug. Listed in the posting are files whose permissions need to be modified after the driver is installed.
Running with Linux for over 20 years!
I have a Samsung ML-2251N printer and the installer also replaces the standard lpr command by symlinking it to a script called slpr, which brings up a windows-like print GUI when you try to print things. This is highly annoying as it doesn't behave exactly like lpr and requires a GUI. It may also be SUID as well.
/usr/bin/lpr back to the right place. The proprietary driver still works and is much more secure. It prints faster with the Samsung driver than with the open source PCL driver. One day I might add true PostScript capabilities to it to try to work around both issues.
You can remove all of the SUID crap and point
Keep in mind that the printer driver's control panel and other stuff that Samsung installs is also SUID. The SUID garbage happens even when installing a regular printer without the scanning capabilities.
I like that they at least tried to write a Linux driver, which is many steps further than a lot of companies, but it does need to stop stomping all over the system like a Windows application would.
The bug is that the driver actually tries to UN-suid the applications: unwrap_setuid_third_party_application xsane unwrap_setuid_third_party_application xscanimage wrap_setuid_ooo_application soffice un wrap_setuid_ooo_application swriter un wrap_setuid_ooo_application simpress un wrap_setuid_ooo_application scalc un But they screwed up the oo unwrap part. The "un" should be BEFORE the "wrap" on those lines. It suids the apps temporarily, and improperly un-suids them.
This was an intentional attempt to create a backdoor.
So when this same type of thing happens in Windows it's that Windows coders are inept but when the same happens in Linux it's because of a conspiracy? Please.
The Linux community better be damn well ready for when this becomes commonplace as more people use Linux. I don't expect it as much from real vendors but it's going to happen more from the likes of amateur coders and malware producers.
Too many have fallen pray to the myth that Linux isn't going to have some of the same issues that Windows has with these areas in software. This incident alone shows that Linux will not be immune to those who don't care enough, don't know enough or are willing enough to sacrifice system security for whatever reasons.
Dedicated Cthulhu Cultist since 4523 BC.
It suids the apps temporarily, and improperly un-suids them.
OK, I read this message, and I can't understand why on earth any software would need to, even temporarily, set the setuid bit on anyone else's software. What's the purpose of this action?
I wouldn't be too surprised if something like this was a management decision to start with. Someone figured out they'd save some money on tech support calls, for example, if the users don't have to keep calling with stuff like "why does this ask for a password when I want to change the printer?" and "does your driver have a virus? my grandson said I should beware stuff that asks for a password" (for bonus points: "... and he didn't tell me the password anyway. Can I still use the printer?") and the like. Don't underestimate the kind of dumb decisions that get taken in the name of cost cutting.
And that includes the fact that it probably wasn't a programmer/architect that made the installer anyway. The drive for cost cutting includes the idea of giving each job to the lowest wage monkey who can possibly do it. So it's not entirely unheard of to offload to the cheapest interns or even to underused non-technical members of the team stuff like making an installer or writing the test cases.
In which case probably some under-paid and under-skilled monkey got the honour of figuring out how to install that stuff in Linux. These aren't typically the kind of guys you'd ask to do a security analysis and design, and they're not given ample times and funds for research either. So he'll google if he has a problem (like how to make some nice config dialog modify a file that was installed as writable by root only), and take the first thing that sorta looks like a solution.
Plus a few other such fun ways to fuck up in the name of keeping the costs down.
Mind you, I'm not saying this has to be what happened at Samsung. Just saying that I've seen that and worse happening in other places, so I wouldn't be too surprised.
A polar bear is a cartesian bear after a coordinate transform.