1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219
|
Summary: Printing a file can cause a system compromise
Date: 12 Nov. 2001
Updated: Sat Feb 2 08:27:14 PST 2002
Reason: Some Versions of GhostScript can open and read files on system
(-dSAFER may not disable file open, and -dPARANOIDSAFER may not be implemented)
*******************
UPDATE:
This problem has been fixed on some later versions of GhostScript
and other PostScript converters. The fix described in here may
need to be modified for the specific version of GhostScript you are
using. See the notes below. The -dPARANOIDSAFER flag should solve
this problem.
Do NOT repeat NOT make the suggested changes if the problem
described below does not exist.
*******************
Systems Impacted: just about everything that uses GhostScript (or
some other PostScript interpreters) for PostScript document
conversion. This includes the various MagicFilters, Transcript,
LPRng's ifhp, RedHats rh-printfilter. These are running on Linux,
BSD, System V, possibly Sun Microsystems, HP, etc., etc., etc.
Note: it is possible that the same problem exists on Microsoft
systems as well if they are using a PostScript interpreter.
Detailed Explanation:
GhostScript is used to convert PostScript files to formats compatible
with printers and other devices. It is used as a utility by a
large number of 'print filters', including MagicFilters, format
converters, LPRng's IFHP filter, RedHat's rh-printfilter, Transcript,
etc., etc.
The PostScript 'file' operator opens a file which can then be
read and printed. Here is a sample of how this could be done:
Save these lines to 'testpr':
%!
% Code extracts from PostScript Language Tutorial and Cookbook
% Copyright 1986, Adobe Systems.
% set up printing
/finr /Helvetica findfont 10 scalefont def
/shwr {moveto finr setfont show} def
% do the dirty work here
(/etc/passwd) (r) file
% read a single line
100 string readline pop 45 292 shwr showpage
Now run this using GhostScript:
#> gs testpr
If you see the first line of the /etc/passwd file displayed then
you have a possible compromise. If GhostScript is used to convert
PostScript to PCL or some other non-PostScript format then you can
print copies of the various files of interest.
Now try this with -dSAFER -dPARANOIDSAFER
#> gs -dSAFER -dPARANOIDSAFER testpr
If you see the same output, then the -dSAFER -DPARANOIDSAFER is
not preventing file access.
MORE BAD NEWS:
Now, you might think this is the worst that can happen...
Nope. I just discovered the following:
a) GhostScript can open files for writing as well as reading.
b) Some vendors run their print filters as ROOT.
c) Some do not have -dSAFER enabled.
You might want to think about:
(/etc/shadow) (w) file (root:::::) writeline
There... did your blood run cold? Or are you rushing out to
try this on your local system to see if the Sysadmin has fixed
this? (Note for sysadmin: there is no 'writeline' primitive,
but they will whip one up REAL SOON NOW, so get moving.)
AND A POSSIBLE ADDITIONAL EXPLOIT:
In addition to the 'file' command, there is also the 'run' command
that will open a file and execute its contents. I can't think of
any use for this, but better to be safe than sorry. Since most
students^H^H^H^H^H^H users are smarter than me, they will most
likely think of one.
IMMEDIATE STEPS TO TAKE:
Step 1: TURN OFF PRINTING NOW! Kill the LPD print spooler
server or the lpsched print spooling server:
pkill lpd
OR
killall lpd
OR
ps -e |grep lpd; find the PID of the lpd process
and do: kill PID
ps -e |grep lpsched; find the PID of the lpsched process
and do: kill PID
Step 2: Update to the latest version of GhostScript that has
-dSAFER implemented. Rerun this test. If the test
succeeds (i.e. - bad things happens, then proceed to
step 3).
Step 3: Modify the gs_init.ps file. It is usually in:
/usr/share/ghostscript/XXX/lib/gs_init.ps
where XXX is the version of GhostScript. See the notes below
for your verion of GhostScript.
Step 4: return the tests described above. They should now
fail. If not, then consult a GhostScript Wizard. (Actually,
you need to consult a GhostScript Medium or even GhostScript
Small, but I digress.)
Step 5: Check all of your applications that are executable by
root (including GhostView (gv) and other) to make sure that they
have the -dSAFER defined. Note that this might need to include
PostScript to PDF converters, and PDF to PostScript converters.
----------- AFPL Ghostscript 6.50 (and possibly others) -------------
1. open the gs_init.ps file.
2. Look for the following lines and add the lines
with - in front of them.
% If we want a "safer" system, disable some obvious ways to cause havoc.
SAFER not { (%END SAFER) .skipeof } if
/file
{ dup (r) eq 2 index (%pipe*) .stringmatch not and
2 index (%std*) .stringmatch or
{ file }
{ /invalidfileaccess signalerror }
ifelse
} .bind odef
- /file { /invalidfileaccess signalerror } odef
- /run { /invalidfileaccess signalerror } odef
/renamefile { /invalidfileaccess signalerror } odef
/deletefile { /invalidfileaccess signalerror } odef
/putdeviceprops
3. Rerun the tests and make sure that they now faile.
-------------------------------------------------------------
------------- AFPL Ghostscript 7.03 (and possibly others) --
From: Carl Riches <riches@ms.washington.edu>
I have just installed AFPL Ghostscript 7.03, and found that I had to
replace part of the file:
gs_init.ps
with this code:
% If we want a "safer" system, disable some obvious ways to cause havoc.
SAFER not { (%END SAFER) .skipeof } if
.currentglobal true .setglobal
/SAFETY 2 dict
dup /safe DELAYSAFER not put
dup /tempfiles 10 dict put
readonly def
.setglobal
/.setsafe
{ //SAFETY /safe //true .forceput % overrides readonly
} .bind executeonly odef
/file
{ //SAFETY /safe get {
dup (r) eq
2 index (%pipe*) .stringmatch not and
3 index (%std*) .stringmatch not and
or or
{ file }
{ /invalidfileaccess //signalerror exec }
ifelse
} {
file
} ifelse
} .bind executeonly odef
Here are the actual SCCS diffs of the file:
------- gs_init.ps -------
1567,1568c1567,1570
< dup (r) eq 2 index (%pipe*) .stringmatch not and
< 2 index (%std*) .stringmatch or
---
> dup (r) eq
> 2 index (%pipe*) .stringmatch not and
> 3 index (%std*) .stringmatch not and
> or or
------------------------------------------------------------
Patrick Powell Astart Technologies
papowell@astart.com 6741 Convoy Court
Network and System San Diego, CA 92111
Consulting 858-874-6543 FAX 858-751-2435
LPRng - Print Spooler (http://www.lprng.com)
|