Samsung drivers changing rights

[poupoul2]

Hi all.

Just to inform you about a recent post on the french Ubuntu forum about Samsung drivers (sorry, in french). It appears that Samsung unified drivers change rights on some parts of the system: After installing the drivers, applications may launch using root rights, without asking any password.

What is more, you may be able to kill your system, by deleting system components, generally modifiable only by using sudo.

The dangerous drivers are here

I am not a Samsung device user, but i assume some of you are. Sorry if the news have already spread here

EDIT: The hack part of the drivers

Code:

wrap_setuid_third_party_application xsane
        wrap_setuid_third_party_application xscanimage

        wrap_setuid_ooo_application soffice
        wrap_setuid_ooo_application swriter
        wrap_setuid_ooo_application simpress
        wrap_setuid_ooo_application scalc

and

Code:

wrap_setuid_third_party_application() {
        if echo "$1" | grep -q "/" ; then
                APP_NAME=$1
        else
                APP_NAME=`which $1 2> /dev/null`
        fi
        NEW_NAME=${APP_NAME}.bin

        if test -n "$APP_NAME" ; then
                if ! test -f "$NEW_NAME" && ! test -d "$NEW_NAME"; then
                        mv "$APP_NAME" "$NEW_NAME"
                        cp -af /opt/${VENDOR}/mfp/bin/suwrap "$APP_NAME"
                        chown root:root "$APP_NAME"
                        chmod 4755 "$APP_NAME"
                fi
        fi
}

wrap_setuid_ooo_application() {
        WRAPPING_BIN=`ls /usr/lib*/*/program/$1.bin /opt/*/program/$1.bin 2> /de
v/null | head -1`
        if test -n "$WRAPPING_BIN" ; then
                ${2}wrap_setuid_third_party_application $WRAPPING_BIN
        fi
}

Those sections should be commented out

And give to /etc root privileges

Code:

sudo chown root -R /etc

[hyg53]

I really would like to know the name of the guy responsible for this hack...

[poupoul2]

I just sent a email to Samsung to inform them about this problem and ask for an urgent fix

[shyster.]

This is great "/. So now that I've installed this POS driver, how do I reverse the changes that it's made? I've made /etc/ belong to root as it should, but I have no idea what to do to fix the other applications. If anyone has a solution that would be great.

EDIT: I've also now uninstalled the unified driver, but it doesn't seem to help.

EDIT 2: Actually I looked over the code in the uninstall script and it seems to unwrap the applications- whatever that means. As follows:

Quote:

check_related_packages if [ "$TOTAL_RELATED_PACKAGES_INSTALLED" = "1" ]; then # The last from the group of related packages. Remove common files. unwrap_setuid_third_party_application xsane unwrap_setuid_third_party_application xscanimage wrap_setuid_ooo_application soffice un wrap_setuid_ooo_application swriter un wrap_setuid_ooo_application simpress un wrap_setuid_ooo_application scalc un uninstall_common_files

However, I'm not sure if this completely reverses the changes made in the first place.

[tweedledee]

This is hardly news. My guide to installing the driver from 7 months ago makes note of this (http://ubuntuforums.org/showthread.php?t=341621). Simply reading the code for the installer is also highly misleading: the installer does not (at least in most cases) actually set anything other than xsane (not openoffice or xscanimage - the latter isn't even on my system, though). Perhaps they intend to, or it is left over from something older, but this is overblown.

Don't get me wrong - I still think this is a problem that needs to be fixed. It's just not as bad as being claimed, especially over on slashdot, where there are many comments by people who have no idea what they are talking about.

As for WHY: the Samsung multifunction printers apparently require some sort of root access for scanning, hence xsane being set to run as root. They should fix their driver to avoid this, but that's what causing it. If you are just installing a printer, you can follow my guide and undo this change with no harm.

I'm not clear on why /etc (and /usr, /etc/sane.d/, /usr/lib/, /usr/lib/sane/, and various others) are being set to the user instead of root; I'm modifying my original install scrip to reset all of this as well, but the files within those directories are all still root, so from a security standpoint this isn't actually that big a deal.

[mwarfield]

Excuse me?

"but the files within those directories are all still root, so from a security standpoint this isn't actually that big a deal."...

User...

cd /etc
mv shadow shadow-
cp ~/my-shadow shadow
chmod 400 shadow
su
mv shadow- shadow

Or maybe modify your group membership to include wheel or bin or disk or kmem and go after other files/devices with that group in common. etc etc etc...

QED

A user that owns the directory may rename or remove files in that directory and then may create their own (unless the directory permissions are "sticky", like /tmp). Yes, this is a very big deal security wise.

The original complainent was also noting that their OpenOffice files were owned by root, so, yes, OpenOffice was running as root. IOW, the security integrity of entire machine is locally compromised. How is that overblown?

Samsung has acknowledged the problem and is reportedly working on a fix.

How is it that this was known 7 months ago and was NOT reported as a serious security hole?

[Silver Surfer]

I was wondering why xsane was suddenly giving me the "You try to run XSane as ROOT, that really is DANGEROUS" window when trying to scan things. Now I know why. Didn't use to do that until I installed my CLP-510 printer. Wonder why a company like Samsung would do something that irresponsible.

[tweedledee]

Quote:

Originally Posted by mwarfield Excuse me? "but the files within those directories are all still root, so from a security standpoint this isn't actually that big a deal."... User... cd /etc mv shadow shadow- cp ~/my-shadow shadow chmod 400 shadow su mv shadow- shadow Or maybe modify your group membership to include wheel or bin or disk or kmem and go after other files/devices with that group in common. etc etc etc... QED A user that owns the directory may rename or remove files in that directory and then may create their own (unless the directory permissions are "sticky", like /tmp). Yes, this is a very big deal security wise.

This actually illustrates a universal problem with Linux permissions: directory permissions override file permissions (i.e., if I own the directory, I can delete files that I do not own within that directory). Certainly Samsung exposes this problem, but it's more fundamental than that. SELinux addresses this problem somewhat, but isn't running in Ubuntu by default.

Quote:

The original complainent was also noting that their OpenOffice files were owned by root, so, yes, OpenOffice was running as root. IOW, the security integrity of entire machine is locally compromised. How is that overblown?

There must be some locale issues, then - perhaps OO is set to as root in French, but not in my system, or various others I've checked.

Quote:

Samsung has acknowledged the problem and is reportedly working on a fix. How is it that this was known 7 months ago and was NOT reported as a serious security hole?

Actually, this WAS reported, multiple times. Samsung doesn't care, despite anything they publicly post. (Do you really think the developers didn't know what they were doing?) And the response I got from the Linux community boiled down to "it's closed source, just don't use it," even though the major problem is that one SUID command can have extensive repurcussions, which is really a problem with Linux permissions design (to which the typical response is "don't use SUID").

[margaf77]

So how do I uninstall the Samsung driver?

[shyster.]

Quote:

Originally Posted by margaf77 So how do I uninstall the Samsung driver?

There's an uninstall script in the tar that you can execute- run it just as you did using the install script and you should be good to go!