lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50D13E31158CB84E8421A703294682FB141B0C9C2C@USEXCHANGE.ad.checkpoint.com>
Date: Mon, 17 May 2010 06:10:11 -0700
From: Rodrigo Branco <rbranco@...ckpoint.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: GhostScript Vulnerability Clarification -
	CVE-2010-1869

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to clarify this issue.   Here is our advisory and the specific timeline:


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

GhostScript 8.70 and lower stack overflow


INTRODUCTION

Ghostscript is an interpreter for the PostScript language and the Portable Document Format (PDF).

There exists a vulnerability within the parser function that when properly exploited can lead to remote comprimise of the vulnerable system, both thru client-side exploitation (using applications like Imagemagick) or server-side exploitation (using cups printer daemon). For both cases
there is a working exploit to be shared with interested parts.

This vulnerability was confirmed in the following GhostScript versions:

8.70
8.64


DETAILS

A remote attacker could entice a user to open a specially crafted PostScript file (client-side exploitation scenario) or just print the file (server-sie exploitation scenario), possibly resulting in the execution of arbitrary code with the privileges of the user running the application or the printer daemon.

Different Unix vendors and Linux distributions are vulnerable to that due to the usage of the vulnerable GhostScript version.

The following test was made on a PCBSD 8.0 default install.  There is a working exploit for the vulnerability to test the exploitability in different systems.  Propolice protection mitigates this vulnerability.

$ gs --version
8.70
$ gdb gs
...
...
(gdb) r crash.ps
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 29201140 (LWP 100125)]
0x2897774e in memcpy () from /lib/libc.so.7
(gdb) bt
#0  0x2897774e in memcpy () from /lib/libc.so.7
#1  0x28178cb4 in scan_token () from /usr/local/lib/libgs.so.8
#2  0x41414141 in ?? ()
(gdb) x/i $pc
0x2897774e <memcpy+30>: repz movsl %ds:(%esi),%es:(%edi)
(gdb) i r $esi $edi
esi            0xbfbfd118       -1077948136
edi            0x414142d9       1094795993

We can use the Cupsd to trigger the vulnerability in the gs process.

$ lp -d hpdskjet crash.pdf
$ grep crashed /var/log/cups/error_log
D [08/Mar/2010:18:01:10 -0500] [Job 11] PID 33428 (gs) crashed on signal 11!


WORKAROUND

Upgrade to GhostScript version 8.71.


TIMELINE

14/Jan - Vulnerability discovered
February and March - Communications with the Vendor (Artifex)
28/Mar - First request for a CVE entry
12/Apr - Communication with RedHat and other vendors (Ubuntu, FreeBSD and others)
10/May - CVE assigned (CVE-2010-1869)
11/May - Check Point issued an IPS update to protect its customers
12/May - After seen the Check Point advisory, Dan Rosenberg published the issue to the mailing lists
12/May - Clarified with Dan that the vulnerabilities are the same.

CREDITS

This vulnerability was discovered and exploited by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).



Best Regards,

Rodrigo.

--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ