COMMAND

	HP Photosmart/Deskjet Drivers  bad  file  permissions  leading  to  root
	compromise

SYSTEMS AFFECTED

	current version

PROBLEM

	Andreas Mueller found following :
	

	The Photosmart family is a line of photo quality ink jet printers  which
	can be used standalone (they have flash card readers) or  together  with
	a computer via either USB or the parallel port. Drivers  for  the  various
	Windows and Mac OS versions  are  available  from  HP's  web  site,  the
	current version of the driver for Mac OS X seems to be  1.2.1.  It  comes
	as a .sit.bin file, but when ex- panded, it turns  into  a  program.  In
	Windows, you would call this a self extracting  archive.  We  just  love
	self extracting archives, don't we?
	

	The installer adds a new package to the system (why the hell did they  choose
	not to use the system's package installation  mechan-  ism?).  The  most
	important thing intalled with this package is an application called  hp_imaging_connectivity.app,
	you will find it in /Library/Printers/hp. Applications in Mac  OS  X  are
	really directories containing executables, libraries  and  other  stuff,
	but look at the permissions of this particular directory:
	

	

	>  [celia:/Library/Printers/hp] afm% ls -l

	>  total 0

	>  drwxrwxr-x  4 root  admin  264 Apr 14 23:55 Utilities

	>  drwxrwxr-x  4 root  admin  264 Jan  8 01:04 deskjet

	>  drwxrwxrwx  4 root  admin   92 Apr 14 23:55 hp_imaging_connectivity.app

	>  drwxrwxr-x  6 root  admin  264 Apr 14 23:55 photosmart

	

	

	Somewhere  deep  inside  the  application  directory,  you'll  find  the
	binary:
	

	

	>  -rwxrwxrwx  1 root  admin  1013938 Dec  6 21:37 hp_imaging_connectivity

	

	

	Here comes the exercise: why does this lead to a root compromise?
	

	Here is the answer (or was that too easy?):
	

	Well, there are actually several ways  to  do  it.  First  of  all,  the
	program is started whenever someone logs into  the  system.  If  root  logs
	into   the   system,   well   then   hp_imaging_connectivity   is   started
	as  root,  bingo.  Replace  the  program  by  your  favorite  root   kit
	installation program. But the really interesting thing  is  that  it  is
	not even necessary that root ever logs into  the  system,  it's  good  enough
	if an administrator does. Every member of the  group  admin  (and  users
	are administrators precisely if they are  members  of  this  group)  are
	allowed to execute any command they like as root,  the  /etc/sudoers  file
	contains the line
	

	       %admin ALL=(ALL) ALL

	

	

	for  this  purpose.  This  means  that  a   (easily)   subverted   hp_imaging_connectivity
	binary can use the netinfo commands to add a new root account, can  make
	sure the secure shell daemon is  running  (it's  off  by  default  in  Mac
	OS  X),  enable  some  of  the  less   secure   services   in   /etc/inetd.conf
	(they are all off by default) or open any other hole. Just  think  about
	all the wonderful possibilities  for  applets  or  other  forms  of  mobile
	code. The scary thing is:  the  administrator  cannot  actually  prevent
	the program from being executed, as she will have to log in  as  administrator
	to do this!
	

	From the directory listing above we must conclude that not only  the  Photosmart
	printers are affected, but also  the  Deskjet  series,  which  increases
	the market share for this hole  consider- ably.
	

	You may counter that the user  will  notice  that  the  printer  is  not
	working when hp_imaging_connectivity has been subverted. Well,  not  really.
	For some reason, and I have not found out  why,  the  printer  does  not
	work if the user who installed the driver is  different  from  the  user
	who tries to use it. Consequently, the printer is not working  by  default!
	

	So if a user wants to be sure she can print, she will have to in-  stall
	the printer driver anew, and she will have to be an ad-  ministrator.  All
	printer users must therefore be administrators, the root  compromise  is
	thus entirely trivial.
	

	There are of course  some  other  issues  with  HPs  somewhat  misguided
	approach: as the printer driver is an application  tied  to  the  user's
	desktop, it's impossible to print on the printer  unless  logged  in  on
	the console. And  while  the  printer  is  spitting  out  pages,  it  is
	impossible to log out!
	

	My guess is that hp_imaging_connectivity was ported from a  single  user
	system  without  any  security  (like  Mac  OS  9   or   Windows).   Un-
	fortunately, there does not seem to be a workaround other than  not  buying
	a HP ink jet printer for use with Mac OS X.

SOLUTION

	Nothing yet.