1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
Summary: Printing a file can cause a system compromise
Date: 12 Nov. 2001
Updated: Sat Feb 2 08:27:14 PST 2002
Reason: Some Versions of GhostScript can open and read files on system
(-dSAFER may not disable file open, and -dPARANOIDSAFER may not be implemented)
*******************
UPDATE:
This problem has been fixed on some later versions of GhostScript
and other PostScript converters. The fix described in here may
need to be modified for the specific version of GhostScript you are
using. See the notes below. The -dPARANOIDSAFER flag should solve
this problem.
Do NOT repeat NOT make the suggested changes if the problem
described below does not exist.
*******************
Systems Impacted: just about everything that uses GhostScript (or
some other PostScript interpreters) for PostScript document
conversion. This includes the various MagicFilters, Transcript,
LPRng's ifhp, RedHats rh-printfilter. These are running on Linux,
BSD, System V, possibly Sun Microsystems, HP, etc., etc., etc.
Note: it is possible that the same problem exists on Microsoft
systems as well if they are using a PostScript interpreter.
Detailed Explanation:
GhostScript is used to convert PostScript files to formats compatible
with printers and other devices. It is used as a utility by a
large number of 'print filters', including MagicFilters, format
converters, LPRng's IFHP filter, RedHat's rh-printfilter, Transcript,
etc., etc.
The PostScript 'file' operator opens a file which can then be
read and printed. Here is a sample of how this could be done:
Save these lines to 'testpr':
%!
% Code extracts from PostScript Language Tutorial and Cookbook
% Copyright 1986, Adobe Systems.
% set up printing
/finr /Helvetica findfont 10 scalefont def
/shwr {moveto finr setfont show} def
% do the dirty work here
(/etc/passwd) (r) file
% read a single line
100 string readline pop 45 292 shwr showpage
Now run this using GhostScript:
#> gs testpr
If you see the first line of the /etc/passwd file displayed then
you have a possible compromise. If GhostScript is used to convert
PostScript to PCL or some other non-PostScript format then you can
print copies of the various files of interest.
Now try this with -dSAFER -dPARANOIDSAFER
#> gs -dSAFER -dPARANOIDSAFER testpr
If you see the same output, then the -dSAFER -DPARANOIDSAFER is
not preventing file access.
MORE BAD NEWS:
Now, you might think this is the worst that can happen...
Nope. I just discovered the following:
a) GhostScript can open files for writing as well as reading.
b) Some vendors run their print filters as ROOT.
c) Some do not have -dSAFER enabled.
You might want to think about:
(/etc/shadow) (w) file (root:::::) writeline
There... did your blood run cold? Or are you rushing out to
try this on your local system to see if the Sysadmin has fixed
this? (Note for sysadmin: there is no 'writeline' primitive,
but they will whip one up REAL SOON NOW, so get moving.)
AND A POSSIBLE ADDITIONAL EXPLOIT:
In addition to the 'file' command, there is also the 'run' command
that will open a file and execute its contents. I can't think of
any use for this, but better to be safe than sorry. Since most
students^H^H^H^H^H^H users are smarter than me, they will most
likely think of one.
IMMEDIATE STEPS TO TAKE:
Step 1: TURN OFF PRINTING NOW! Kill the LPD print spooler
server or the lpsched print spooling server:
pkill lpd
OR
killall lpd
OR
ps -e |grep lpd; find the PID of the lpd process
and do: kill PID
ps -e |grep lpsched; find the PID of the lpsched process
and do: kill PID
Step 2: Update to the latest version of GhostScript that has
-dSAFER implemented. Rerun this test. If the test
succeeds (i.e. - bad things happens, then proceed to
step 3).
Step 3: Modify the gs_init.ps file. It is usually in:
/usr/share/ghostscript/XXX/lib/gs_init.ps
where XXX is the version of GhostScript. See the notes below
for your verion of GhostScript.
Step 4: return the tests described above. They should now
fail. If not, then consult a GhostScript Wizard. (Actually,
you need to consult a GhostScript Medium or even GhostScript
Small, but I digress.)
Step 5: Check all of your applications that are executable by
root (including GhostView (gv) and other) to make sure that they
have the -dSAFER defined. Note that this might need to include
PostScript to PDF converters, and PDF to PostScript converters.
----------- AFPL Ghostscript 6.50 (and possibly others) -------------
1. open the gs_init.ps file.
2. Look for the following lines and add the lines
with - in front of them.
% If we want a "safer" system, disable some obvious ways to cause havoc.
SAFER not { (%END SAFER) .skipeof } if
/file
{ dup (r) eq 2 index (%pipe*) .stringmatch not and
2 index (%std*) .stringmatch or
{ file }
{ /invalidfileaccess signalerror }
ifelse
} .bind odef
- /file { /invalidfileaccess signalerror } odef
- /run { /invalidfileaccess signalerror } odef
/renamefile { /invalidfileaccess signalerror } odef
/deletefile { /invalidfileaccess signalerror } odef
/putdeviceprops
3. Rerun the tests and make sure that they now faile.
-------------------------------------------------------------
------------- AFPL Ghostscript 7.03 (and possibly others) --
From: Carl Riches <riches@ms.washington.edu>
I have just installed AFPL Ghostscript 7.03, and found that I had to
replace part of the file:
gs_init.ps
with this code:
% If we want a "safer" system, disable some obvious ways to cause havoc.
SAFER not { (%END SAFER) .skipeof } if
.currentglobal true .setglobal
/SAFETY 2 dict
dup /safe DELAYSAFER not put
dup /tempfiles 10 dict put
readonly def
.setglobal
/.setsafe
{ //SAFETY /safe //true .forceput % overrides readonly
} .bind executeonly odef
/file
{ //SAFETY /safe get {
dup (r) eq
2 index (%pipe*) .stringmatch not and
3 index (%std*) .stringmatch not and
or or
{ file }
{ /invalidfileaccess //signalerror exec }
ifelse
} {
file
} ifelse
} .bind executeonly odef
Here are the actual SCCS diffs of the file:
------- gs_init.ps -------
1567,1568c1567,1570
< dup (r) eq 2 index (%pipe*) .stringmatch not and
< 2 index (%std*) .stringmatch or
---
> dup (r) eq
> 2 index (%pipe*) .stringmatch not and
> 3 index (%std*) .stringmatch not and
> or or
------------------------------------------------------------
Patrick Powell Astart Technologies
papowell@astart.com 6741 Convoy Court
Network and System San Diego, CA 92111
Consulting 858-874-6543 FAX 858-751-2435
LPRng - Print Spooler (http://www.lprng.com)
|
