Shulou(Shulou.com)06/01 Report--

This article introduces you how to achieve ghostscript sandbox bypass command execution vulnerability warning, the content is very detailed, interested friends can refer to reference, I hope to help you.

0x00 Vulnerability Background

On the evening of January 23, 2019, Artifex officially submitted and merged up to 6 fixes on the master branch of ghostscriptf. To fix CVE-2019-6116 vulnerability, which was submitted by Google security researcher taviso on December 3, 2018. The vulnerability could bypass ghostscript's security sandbox directly, allowing an attacker to execute arbitrary commands/read arbitrary files.

ghostscript is widely used and is referenced in image-processing applications such as ImageMagick, python-matplotlib, libmagick, etc.

0x01 Vulnerability Details

Ghostscript learned from previous vulnerabilities and made a layer of encapsulation for some special and powerful functions.

This layer of encapsulation is the executeonly tag, and the pseudo-operator odef.

The effect of attaching the executeonly tag is that PostScript will not allow references to the protected function.

The effect of attaching the odef operator is that the PostScript error handler does not retrieve the stack further up from this operation.

If the current operator (or pseudo-operator) encounters an exception or stops with an error, nothing on the stack is exposed.

But taviso still finds that if there is a state like judgment in these functions, then the above protection will lose its effect.

This allows ghostscript to get dangerous functions from the stack and reference them as usual to create vulnerabilities.

taviso gives us a snippet of code that we can exploit.

http://git.ghostscript.com/? p=ghostpdl.git;a=blob;f=Resource/Init/pdf_draw.ps;h=79733df451c1ecc0a71b08d10e5412ac3e243a9e;hb=gs926#l1123

1123 {

1124 currentglobal pdfdict gcheck .setglobal

1125 pdfdict /.Qqwarning_issued //true .forceput

1126 .setglobal

1127 pdfformaterror

1128 } ifelse

Then arbitrary command execution/file reading can be achieved through constructs on the stack.

$ gs -dSAFER -f ghostscript-926-forceput.ps

GPL Ghostscript 9.26 (2018-11-20)

Copyright (C) 2018 Artifex Software, Inc. All rights reserved.

This software comes with NO WARRANTY: see the file PUBLIC for details.

Stage 0: PDFfile

Stage 1: q

Stage 3: oget

Stage 4: pdfemptycount

Stage 5: gput

Stage 6: resolvestream

Stage 7: pdfopdict

Stage 8: .pdfruncontext

Stage 9: pdfdict

Stage 10: /typecheck #1

Stage 10: /typecheck #2

Stage 11: Exploitation...

Should now have complete control over ghostscript, attempting to read

/etc/passwd...

(root:x:0:0:root:/root:/bin/bash)

Attempting to execute a shell command...

uid=1000(taviso) gid=1000(primarygroup)

groups=1000(primarygroup),4(adm),20(dialout),24(cdrom),25(floppy),44(video),46(plugdev),999(logindev)

360CERT judges that the vulnerability is seriously harmful and has a wide impact. It is recommended that users upgrade their versions in a timely manner, and at the same time conduct version self-inspection of online services involving image, pdf and other formats.

0x02 Vulnerability Verification

0x03 Impact Version

ghostscript has no release yet

Commit c47512e5e638d903d69925f7ebab4de2aa3f481 versions prior to f are affected

Ghostscript is used as a low-level application for image processing format conversion.

The vulnerability affects all upstream applications that reference ghostscript. Involving, but not limited to:

imagemagick

libmagick

graphicsmagick

gimp

python-matplotlib

texlive-core

texmacs

latex2html

latex2rtf

such

0x04 Repair suggestions

Recommended update to

(c47512e5e638d903d69925f7ebab4de2aa3f481f), or directly pull master

Branching updates

If you cannot update, try disabling the use of gs to parse ps files first

Using ImageMagick, it is recommended to modify the policy file (default location: /etc/ImageMagick/policy. xml) to add the following (i.e. disable PS, EPS, PDF, XPS coders, PCD):

However, taviso mentioned that the policy is very loose, and there may be some formats that are not mentioned.

360CERT recommends that users upgrade their versions in a timely manner, and at the same time conduct version self-inspection of online services involving image, pdf and other formats.

About how to achieve ghostscript sandbox bypass command execution vulnerability warning to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.