Vulnerability in HP Photosmart/Deskjet Drivers for Mac OS X (root compromise)

[Dr Andreas F Muller <afm () othello ch>]

Hello everyone,

after some frustration with the HP Photosmart printer driver  not
being as smart as the name suggests and HP support not as suppor-
tive as I would wish about the issues raised below, I've  decided
to  bring  the following multiple security vulnerabilities of the
HP Photosmart/Deskjet printer drivers for Mac OS X to the  list's
attention.

The Photosmart family is a line of photo quality ink jet printers
which  can  be  used standalone (they have flash card readers) or
together with a computer via either USB  or  the  parallel  port.
Drivers for the various Windows and Mac OS versions are available
from HP's web site, the current version of the driver for Mac  OS
X  seems  to be 1.2.1.  It comes as a .sit.bin file, but when ex-
panded, it turns into a program.  In Windows, you would call this
a self extracting archive. We just love self extracting archives,
don't we?

The installer adds a new package to the system (why the hell  did
they  choose not to use the system's package installation mechan-
ism?). The most important thing intalled with this package is  an
application  called hp_imaging_connectivity.app, you will find it
in /Library/Printers/hp. Applications in  Mac  OS  X  are  really
directories  containing  executables,  libraries and other stuff,
but look at the permissions of this particular directory:

>  [celia:/Library/Printers/hp] afm% ls -l
>  total 0
>  drwxrwxr-x  4 root  admin  264 Apr 14 23:55 Utilities
>  drwxrwxr-x  4 root  admin  264 Jan  8 01:04 deskjet
>  drwxrwxrwx  4 root  admin   92 Apr 14 23:55 hp_imaging_connectivity.app
>  drwxrwxr-x  6 root  admin  264 Apr 14 23:55 photosmart

Somewhere deep inside the application directory, you'll find  the
binary:

>  -rwxrwxrwx  1 root  admin  1013938 Dec  6 21:37 hp_imaging_connectivity

Here comes the exercise: why does this lead to a root compromise?

Here is the answer (or was that too easy?):

    Well, there are actually several ways to do it. First of all,
    the program is started whenever someone logs into the system.
    If    root    logs    into    the    system,     well    then
    hp_imaging_connectivity  is  started  as root, bingo. Replace
    the program by your favorite root kit installation program.

    But the really interesting thing  is  that  it  is  not  even
    necessary  that  root  ever  logs  into the system, it's good
    enough if an administrator does. Every member  of  the  group
    admin  (and  users  are  administrators precisely if they are
    members of this group) are allowed  to  execute  any  command
    they like as root, the /etc/sudoers file contains the line

        %admin ALL=(ALL) ALL

    for  this  purpose.  This  means  that   a   (easily)    sub-
    verted  hp_imaging_connectivity  binary  can  use the netinfo
    commands to add a new root account, can make sure the  secure
    shell  daemon   is running  (it's  off  by  default in Mac OS
    X),  enable   some   of   the   less   secure   services   in
    /etc/inetd.conf  (they  are  all off by  default) or open any
    other hole. Just think about all the wonderful  possibilities
    for  applets  or  other   forms  of  mobile  code.  The scary
    thing  is:  the  administrator cannot  actually  prevent  the
    program  from being executed, as she will have to log  in  as
    administrator to do this!

> From the directory listing above we must conclude that  not  only
the  Photosmart  printers  are  affected,  but  also  the Deskjet
series, which increases the market share for this hole  consider-
ably.

You may counter that the user will notice that the printer is not
working  when  hp_imaging_connectivity  has been subverted. Well,
not really. For some reason, and I have not found  out  why,  the
printer  does  not  work  if the user who installed the driver is
different from the user who tries to use it.   Consequently,  the
printer is not working by default!

So if a user wants to be sure she can print, she will have to in-
stall  the  printer  driver  anew, and she will have to be an ad-
ministrator. All printer users must therefore be  administrators,
the root compromise is thus entirely trivial.

There are of course some other issues with HPs somewhat misguided
approach:  as  the  printer  driver is an application tied to the
user's desktop, it's impossible to print on  the  printer  unless
logged  in  on the console. And while the printer is spitting out
pages, it is impossible to log out!

My guess is that hp_imaging_connectivity was ported from a single
user  system without any security (like Mac OS 9 or Windows). Un-
fortunately, there does not seem to be a  workaround  other  than
not buying a HP ink jet printer for use with Mac OS X.

Mit herzlichem Gruss

                                        Andreas Mueller

------------------------------------------------------------
Dr. Andreas Mueller                 Beratung und Entwicklung
Bubental 53, CH - 8852 Altendorf            <afm () othello ch>
Voice: +41 55 462 1483             Fax/Data: +41 55 462 1485
------------------------------------------------------------