[gentoo-dev] [Fwd: [rock-linux] [papowell@astart.com: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access]] - gentoo-dev

From:	slik@×××××××××××.net
To:	gentoo-dev@××××××××××.org
Subject:	[gentoo-dev] [Fwd: [rock-linux] [papowell@astart.com: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access]]
Date:	Wed, 19 Sep 2001 00:08:09
Message-Id:	`3BA8360B.9C5B6466@telusplanet.net`

1

Nikolaus Filus wrote:

2

>

3

> Hi everybody,

4

>

5

> I just got the following mail on th LPRng mailinglist. Maybe it's important

6

> to all of us, even not running LPRng, but ghostscript.

7

>

8

> Nikolaus

9

>

10

> ----- Forwarded message from User Papowell <papowell@××××××.com> -----

11

>

12

> Date: Tue, 18 Sep 2001 08:06:34 -0700 (PDT)

13

> From: User Papowell <papowell@××××××.com>

14

> To: lprng@×××××.com

15

> Subject: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access

16

>

17

> Summary:   Printing a file can cause a system compromise

18

>

19

> Reason:    GhostScript can open and read files on system

20

>    (-dSAFER may not disable file open)

21

>

22

> Systems Impacted:  just about everything that uses GhostScript (or

23

> some other PostScript interpreters) for PostScript document

24

> conversion. This includes the various MagicFilters, Transcript,

25

> LPRng's ifhp, RedHats rh-printfilter.  These are running on Linux,

26

> BSD, System V, possibly Sun Microsystems, HP, etc., etc., etc.

27

> Note: it is possible that the same problem exists on Microsoft

28

> systems as well if they are performing PostScript to conversions.

29

>

30

> Detailed Explanation:

31

>

32

> GhostScript is used to convert PostScript files to formats compatible

33

> with printers and other devices.  It is used as a utility by a

34

> large number of 'print filters', including MagicFilters, format

35

> converters, LPRng's IFHP filter, RedHat's rh-printfilter, Transcript,

36

> etc., etc.

37

>

38

> The PostScript 'file' operator opens a file which can then be

39

> read and printed.  Here is a sample of how this could be done:

40

>

41

> Save these lines to 'testpr':

42

>

43

> %!

44

> % Code extracts from PostScript Language Tutorial and Cookbook

45

> %  Copyright 1986, Adobe Systems.

46

>

47

> % set up printing

48

> /finr /Helvetica findfont 10 scalefont def

49

> /shwr {moveto finr setfont show} def

50

> % do the dirty work here

51

> (/etc/passwd) (r) file

52

> % read a single line

53

> 100 string readline pop 45 292 shwr showpage

54

>

55

> Now run this using GhostScript:

56

>

57

> #> gs testpr

58

>

59

> If you see the first line of the /etc/passwd file displayed then

60

> you have a possible compromise.  If GhostScript is used to convert

61

> PostScript to PCL or some other non-PostScript format then you can

62

> print copies of the various files of interest.

63

>

64

> Now try this with -dSAFER

65

>

66

> #> gs -dSAFER testpr

67

>

68

> If you see the same output,  then the -dSAFER is not preventing

69

> file access.

70

>

71

> MORE BAD NEWS:

72

>

73

> Now, you might think this is the worst that can happen...

74

> Nope.  I just discovered the following:

75

>

76

> a)  GhostScript can open files for writing as well as reading.

77

> b)  Some vendors run their print filters as ROOT.

78

> c)  Some do not have -dSAFER enabled.

79

>

80

> You might want to think about:

81

>

82

>   (/etc/shadow) (w) file (root:::::) writeline

83

>

84

> There... did your blood run cold?  Or are you rushing out to

85

> try this on your local system to see if the Sysadmin has fixed

86

> this?  (Note for sysadmin: there is no 'writeline' primitive,

87

> but they will whip one up REAL SOON NOW, so get moving.)

88

>

89

> AND A POSSIBLE ADDITIONAL EXPLOIT:

90

>

91

> In addition to the 'file' command,  there is also the 'run' command

92

> that will open a file and execute its contents.  I can't think of

93

> any use for this, but better to be safe than sorry.  Since most

94

> students^H^H^H^H^H^H users are smarter than me,  they will most

95

> likely think of one.

96

>

97

> IMMEDIATE STEPS TO TAKE:

98

>

99

> Step 1:  TURN OFF PRINTING NOW!  Kill the LPD print spooler

100

>    server or the lpsched print spooling server:

101

>

102

>     pkill lpd

103

>       OR

104

>     killall lpd

105

>       OR

106

>     ps -e |grep lpd;   find the PID of the lpd process

107

>                        and do:  kill PID

108

>

109

>     ps -e |grep lpsched;   find the PID of the lpsched process

110

>        and do:  kill PID

111

>

112

> Step 2: Update to the latest version of GhostScript that has

113

>    -dSAFER implemented.

114

>

115

> Step 3: Modify the gs_init.ps file.  It is usually in:

116

>

117

> /usr/share/ghostscript/XXX/lib/gs_init.ps

118

>

119

> where XXX is the version of GhostScript.

120

>

121

> The following changes will disable 'file' and 'run' when

122

> when gs is executed with -dSAFER.

123

>

124

> 1. open the gs_init.ps file.

125

> 2. Look for the following lines and add the lines

126

>    with - in front of them.

127

>

128

>   % If we want a "safer" system, disable some obvious ways to cause havoc.

129

>   SAFER not { (%END SAFER) .skipeof } if

130

>   /file

131

>    { dup (r) eq 2 index (%pipe*) .stringmatch not and

132

>      2 index (%std*) .stringmatch or

133

>       { file }

134

>       { /invalidfileaccess signalerror }

135

>      ifelse

136

>    } .bind odef

137

> - /file { /invalidfileaccess signalerror } odef

138

> - /run { /invalidfileaccess signalerror } odef

139

>   /renamefile { /invalidfileaccess signalerror } odef

140

>   /deletefile { /invalidfileaccess signalerror } odef

141

>   /putdeviceprops

142

>

143

> Step 4: make sure that all the conversion scripts use gs -dSAFER

144

>

145

> Step 5: (for the VERY VERY paranoid sysamin)

146

>    Comment out the 'SAFER not ...' line; this will

147

>    ALWAYS run GhostScript in SAFER mode.

148

>

149

> Step 6:

150

>    save the modified gs_init.ps file.

151

>

152

> Step 7:

153

>    Try executing the 'testpr' file again.  It should fail.

154

>

155

> Step 8:

156

>    Renable printing and try printing the 'testpr' file

157

>    to a printer that requires raster conversion.

158

>    Your job should fail with a GhostScript error.

159

>

160

> Note:  there are also other functions in the gs_init file that

161

> seem to allow opening and reading of files.  I am not an expert

162

> on PostScript,  so I am not in a position to comment on them.

163

>

164

> Patrick Powell                 Astart Technologies,

165

> papowell@××××××.com            9475 Chesapeake Drive, Suite D,

166

> Network and System             San Diego, CA 92123

167

>   Consulting                   858-874-6543 FAX 858-279-8424

168

> LPRng - Print Spooler (http://www.lprng.com)

169

>

170

> -----------------------------------------------------------------------------

171

> YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST

172

> The address you post from MUST be your subscription address

173

>

174

> If you need help, send email to majordomo@×××××.com (or lprng-requests

175

> or lprng-digest-requests) with the word 'help' in the body.  For the impatient,

176

> to subscribe to a list with name LIST,  send mail to majordomo@×××××.com

177

> with:                           | example:

178

> subscribe LIST <mailaddr>       |  subscribe lprng-digest myname@××××.org

179

> unsubscribe LIST <mailaddr>     |  unsubscribe lprng myname@××××.org

180

>

181

> If you have major problems,  send email to papowell@××××××.com with the word

182

> LPRNGLIST in the SUBJECT line.

183

> -----------------------------------------------------------------------------

184

>

185

> ----- End forwarded message -----

186

>

187

> --

188

> To unsubscribe from this list: send a mail with the subject "unsubscribe

189

> rock-linux" to <minimalist@×××××××××.org>. For more information about ROCK

190

> Linux have a look at <http://www.rocklinux.org/>.

1	Nikolaus Filus wrote:
2	>
3	> Hi everybody,
4	>
5	> I just got the following mail on th LPRng mailinglist. Maybe it's important
6	> to all of us, even not running LPRng, but ghostscript.
7	>
8	> Nikolaus
9	>
10	> ----- Forwarded message from User Papowell <papowell@××××××.com> -----
11	>
12	> Date: Tue, 18 Sep 2001 08:06:34 -0700 (PDT)
13	> From: User Papowell <papowell@××××××.com>
14	> To: lprng@×××××.com
15	> Subject: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access
16	>
17	> Summary: Printing a file can cause a system compromise
18	>
19	> Reason: GhostScript can open and read files on system
20	> (-dSAFER may not disable file open)
21	>
22	> Systems Impacted: just about everything that uses GhostScript (or
23	> some other PostScript interpreters) for PostScript document
24	> conversion. This includes the various MagicFilters, Transcript,
25	> LPRng's ifhp, RedHats rh-printfilter. These are running on Linux,
26	> BSD, System V, possibly Sun Microsystems, HP, etc., etc., etc.
27	> Note: it is possible that the same problem exists on Microsoft
28	> systems as well if they are performing PostScript to conversions.
29	>
30	> Detailed Explanation:
31	>
32	> GhostScript is used to convert PostScript files to formats compatible
33	> with printers and other devices. It is used as a utility by a
34	> large number of 'print filters', including MagicFilters, format
35	> converters, LPRng's IFHP filter, RedHat's rh-printfilter, Transcript,
36	> etc., etc.
37	>
38	> The PostScript 'file' operator opens a file which can then be
39	> read and printed. Here is a sample of how this could be done:
40	>
41	> Save these lines to 'testpr':
42	>
43	> %!
44	> % Code extracts from PostScript Language Tutorial and Cookbook
45	> % Copyright 1986, Adobe Systems.
46	>
47	> % set up printing
48	> /finr /Helvetica findfont 10 scalefont def
49	> /shwr {moveto finr setfont show} def
50	> % do the dirty work here
51	> (/etc/passwd) (r) file
52	> % read a single line
53	> 100 string readline pop 45 292 shwr showpage
54	>
55	> Now run this using GhostScript:
56	>
57	> #> gs testpr
58	>
59	> If you see the first line of the /etc/passwd file displayed then
60	> you have a possible compromise. If GhostScript is used to convert
61	> PostScript to PCL or some other non-PostScript format then you can
62	> print copies of the various files of interest.
63	>
64	> Now try this with -dSAFER
65	>
66	> #> gs -dSAFER testpr
67	>
68	> If you see the same output, then the -dSAFER is not preventing
69	> file access.
70	>
71	> MORE BAD NEWS:
72	>
73	> Now, you might think this is the worst that can happen...
74	> Nope. I just discovered the following:
75	>
76	> a) GhostScript can open files for writing as well as reading.
77	> b) Some vendors run their print filters as ROOT.
78	> c) Some do not have -dSAFER enabled.
79	>
80	> You might want to think about:
81	>
82	> (/etc/shadow) (w) file (root:::::) writeline
83	>
84	> There... did your blood run cold? Or are you rushing out to
85	> try this on your local system to see if the Sysadmin has fixed
86	> this? (Note for sysadmin: there is no 'writeline' primitive,
87	> but they will whip one up REAL SOON NOW, so get moving.)
88	>
89	> AND A POSSIBLE ADDITIONAL EXPLOIT:
90	>
91	> In addition to the 'file' command, there is also the 'run' command
92	> that will open a file and execute its contents. I can't think of
93	> any use for this, but better to be safe than sorry. Since most
94	> students^H^H^H^H^H^H users are smarter than me, they will most
95	> likely think of one.
96	>
97	> IMMEDIATE STEPS TO TAKE:
98	>
99	> Step 1: TURN OFF PRINTING NOW! Kill the LPD print spooler
100	> server or the lpsched print spooling server:
101	>
102	> pkill lpd
103	> OR
104	> killall lpd
105	> OR
106	> ps -e \|grep lpd; find the PID of the lpd process
107	> and do: kill PID
108	>
109	> ps -e \|grep lpsched; find the PID of the lpsched process
110	> and do: kill PID
111	>
112	> Step 2: Update to the latest version of GhostScript that has
113	> -dSAFER implemented.
114	>
115	> Step 3: Modify the gs_init.ps file. It is usually in:
116	>
117	> /usr/share/ghostscript/XXX/lib/gs_init.ps
118	>
119	> where XXX is the version of GhostScript.
120	>
121	> The following changes will disable 'file' and 'run' when
122	> when gs is executed with -dSAFER.
123	>
124	> 1. open the gs_init.ps file.
125	> 2. Look for the following lines and add the lines
126	> with - in front of them.
127	>
128	> % If we want a "safer" system, disable some obvious ways to cause havoc.
129	> SAFER not { (%END SAFER) .skipeof } if
130	> /file
131	> { dup (r) eq 2 index (%pipe*) .stringmatch not and
132	> 2 index (%std*) .stringmatch or
133	> { file }
134	> { /invalidfileaccess signalerror }
135	> ifelse
136	> } .bind odef
137	> - /file { /invalidfileaccess signalerror } odef
138	> - /run { /invalidfileaccess signalerror } odef
139	> /renamefile { /invalidfileaccess signalerror } odef
140	> /deletefile { /invalidfileaccess signalerror } odef
141	> /putdeviceprops
142	>
143	> Step 4: make sure that all the conversion scripts use gs -dSAFER
144	>
145	> Step 5: (for the VERY VERY paranoid sysamin)
146	> Comment out the 'SAFER not ...' line; this will
147	> ALWAYS run GhostScript in SAFER mode.
148	>
149	> Step 6:
150	> save the modified gs_init.ps file.
151	>
152	> Step 7:
153	> Try executing the 'testpr' file again. It should fail.
154	>
155	> Step 8:
156	> Renable printing and try printing the 'testpr' file
157	> to a printer that requires raster conversion.
158	> Your job should fail with a GhostScript error.
159	>
160	> Note: there are also other functions in the gs_init file that
161	> seem to allow opening and reading of files. I am not an expert
162	> on PostScript, so I am not in a position to comment on them.
163	>
164	> Patrick Powell Astart Technologies,
165	> papowell@××××××.com 9475 Chesapeake Drive, Suite D,
166	> Network and System San Diego, CA 92123
167	> Consulting 858-874-6543 FAX 858-279-8424
168	> LPRng - Print Spooler (http://www.lprng.com)
169	>
170	> -----------------------------------------------------------------------------
171	> YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST
172	> The address you post from MUST be your subscription address
173	>
174	> If you need help, send email to majordomo@×××××.com (or lprng-requests
175	> or lprng-digest-requests) with the word 'help' in the body. For the impatient,
176	> to subscribe to a list with name LIST, send mail to majordomo@×××××.com
177	> with: \| example:
178	> subscribe LIST <mailaddr> \| subscribe lprng-digest myname@××××.org
179	> unsubscribe LIST <mailaddr> \| unsubscribe lprng myname@××××.org
180	>
181	> If you have major problems, send email to papowell@××××××.com with the word
182	> LPRNGLIST in the SUBJECT line.
183	> -----------------------------------------------------------------------------
184	>
185	> ----- End forwarded message -----
186	>
187	> --
188	> To unsubscribe from this list: send a mail with the subject "unsubscribe
189	> rock-linux" to <minimalist@×××××××××.org>. For more information about ROCK
190	> Linux have a look at <http://www.rocklinux.org/>.

Gentoo Archives: gentoo-dev