Shulou(Shulou.com)05/31 Report--

This article analyzes "how to analyze Ghostscript SAFER sandbox bypass vulnerabilities". The content is detailed and easy to understand. Friends who are interested in "how to analyze Ghostscript SAFER sandbox to bypass loopholes" can follow the editor's train of thought to read it slowly and deeply. I hope it will be helpful to everyone after reading. Let's follow the editor to learn more about "how to analyze Ghostscript SAFER sandbox to bypass vulnerabilities".

Preface

Ghostscript is an interpreter software for Adobe PostScript language. You can draw PostScript language and support the conversion between PS and PDF. At present, most Linux distributions are installed by default and transplanted to Unix, MacOS, Windows and other platforms, and Ghostscript is also used by ImagineMagic, Python PIL and various PDF readers.

Vulnerability description

On August 21, Google security researcher Tavis Ormandy disclosed several GhostScript vulnerabilities. By constructing malicious PostScript scripts in the picture, you can bypass the SAFER security sandbox, resulting in command execution, file reading, file deletion and other vulnerabilities. The root cause is that when GhostScript parses restore commands, it temporarily sets the parameter LockSafetyParams to False, thus turning off SAFER mode.

Affected system version

The Ghostscript LockSafetyParams variable sets the watch point and continues to run the program, where the value of LockSafetyParams is changed as expected.

Looking at the stack backtracking, it is found that the current function is called in a series of functions with "interpret", which are inferred from the name to be used to parse PostScript statements.

Here we break at # 2 and observe the process of the interpreter processing keywords such as stopped, null, restore, and so on, and the process of bypassing the SAFER sandbox becomes clear.

Causes of loopholes

Now let's see how the statement {null restore} stopped {pop} if bypasses the SAFER sandbox.

PostScript is a "Reverse Polish Notation" (also known as suffix expression) language. To put it simply, the Operand comes first and the operator comes after. This statement in PoC is a typical PostScript exception handling statement. The stopped operator is used for exception handling in PostScript, that is, stopped executes the procedure given in the previous {}. If the interpreter makes an error during the procedure execution, it terminates the procedure and executes the procedure in {} after the stopped operator.

Null restore causes a type checking error (/ typecheck error). At the same time, the execution of restore causes LockSafetyParams to set to False,stopped to catch an exception, and the element null,GS at the top of the stack pops up to run, but the value of LockSafetyParams has not yet been restored to True.

It is worth mentioning that the restore operator is at risk of bypassing the SAFER schema as mentioned in GhostScript's official documentation.

Vulnerability exploitation

The OutputFile parameter is used to set the output file name, and on Linux/Unix, you can also send the output to the pipe through the device% pipe% (or in Windows, you need to use two%). For example, to pipe the output to lpr, you can use: / OutputFile (% pipe%lpr)

According to the official documentation, the% pipe% function is supported by the popen function, which can also be confirmed during debugging:

The popen () function creates a pipe, calls fork () to start a child process, and sends the command passed in popen () to / bin/sh for execution with the-c argument. The vulnerability can be exploited by injecting commands here, as demonstrated in the following figure, and PostScript is encoded into the image, and arbitrary instructions can be executed on the Web server that uses GhostScript (for example, when the server uses ImageMagick to process uploaded images).

Repair suggestion

As of the time the author analyzed the vulnerability, the authorities had not fixed it. Artifex Software,ImageMagick,Redhat,Ubuntu and other vendors have declared that they are affected by this vulnerability, but other platforms have not described this vulnerability for the time being. The temporary solutions are as follows:

1. Uninstall GhostScript

two。 The following code can be added to the / etc/ImageMagick/policy.xml file to disable PostScript, EPS, PDF, and XPS decoders:

This is the end of the analysis on how to bypass vulnerabilities in the Ghostscript SAFER sandbox. I hope the above content can improve everyone. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.