1 |
Nikolaus Filus wrote: |
2 |
> |
3 |
> Hi everybody, |
4 |
> |
5 |
> I just got the following mail on th LPRng mailinglist. Maybe it's important |
6 |
> to all of us, even not running LPRng, but ghostscript. |
7 |
> |
8 |
> Nikolaus |
9 |
> |
10 |
> ----- Forwarded message from User Papowell <papowell@××××××.com> ----- |
11 |
> |
12 |
> Date: Tue, 18 Sep 2001 08:06:34 -0700 (PDT) |
13 |
> From: User Papowell <papowell@××××××.com> |
14 |
> To: lprng@×××××.com |
15 |
> Subject: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access |
16 |
> |
17 |
> Summary: Printing a file can cause a system compromise |
18 |
> |
19 |
> Reason: GhostScript can open and read files on system |
20 |
> (-dSAFER may not disable file open) |
21 |
> |
22 |
> Systems Impacted: just about everything that uses GhostScript (or |
23 |
> some other PostScript interpreters) for PostScript document |
24 |
> conversion. This includes the various MagicFilters, Transcript, |
25 |
> LPRng's ifhp, RedHats rh-printfilter. These are running on Linux, |
26 |
> BSD, System V, possibly Sun Microsystems, HP, etc., etc., etc. |
27 |
> Note: it is possible that the same problem exists on Microsoft |
28 |
> systems as well if they are performing PostScript to conversions. |
29 |
> |
30 |
> Detailed Explanation: |
31 |
> |
32 |
> GhostScript is used to convert PostScript files to formats compatible |
33 |
> with printers and other devices. It is used as a utility by a |
34 |
> large number of 'print filters', including MagicFilters, format |
35 |
> converters, LPRng's IFHP filter, RedHat's rh-printfilter, Transcript, |
36 |
> etc., etc. |
37 |
> |
38 |
> The PostScript 'file' operator opens a file which can then be |
39 |
> read and printed. Here is a sample of how this could be done: |
40 |
> |
41 |
> Save these lines to 'testpr': |
42 |
> |
43 |
> %! |
44 |
> % Code extracts from PostScript Language Tutorial and Cookbook |
45 |
> % Copyright 1986, Adobe Systems. |
46 |
> |
47 |
> % set up printing |
48 |
> /finr /Helvetica findfont 10 scalefont def |
49 |
> /shwr {moveto finr setfont show} def |
50 |
> % do the dirty work here |
51 |
> (/etc/passwd) (r) file |
52 |
> % read a single line |
53 |
> 100 string readline pop 45 292 shwr showpage |
54 |
> |
55 |
> Now run this using GhostScript: |
56 |
> |
57 |
> #> gs testpr |
58 |
> |
59 |
> If you see the first line of the /etc/passwd file displayed then |
60 |
> you have a possible compromise. If GhostScript is used to convert |
61 |
> PostScript to PCL or some other non-PostScript format then you can |
62 |
> print copies of the various files of interest. |
63 |
> |
64 |
> Now try this with -dSAFER |
65 |
> |
66 |
> #> gs -dSAFER testpr |
67 |
> |
68 |
> If you see the same output, then the -dSAFER is not preventing |
69 |
> file access. |
70 |
> |
71 |
> MORE BAD NEWS: |
72 |
> |
73 |
> Now, you might think this is the worst that can happen... |
74 |
> Nope. I just discovered the following: |
75 |
> |
76 |
> a) GhostScript can open files for writing as well as reading. |
77 |
> b) Some vendors run their print filters as ROOT. |
78 |
> c) Some do not have -dSAFER enabled. |
79 |
> |
80 |
> You might want to think about: |
81 |
> |
82 |
> (/etc/shadow) (w) file (root:::::) writeline |
83 |
> |
84 |
> There... did your blood run cold? Or are you rushing out to |
85 |
> try this on your local system to see if the Sysadmin has fixed |
86 |
> this? (Note for sysadmin: there is no 'writeline' primitive, |
87 |
> but they will whip one up REAL SOON NOW, so get moving.) |
88 |
> |
89 |
> AND A POSSIBLE ADDITIONAL EXPLOIT: |
90 |
> |
91 |
> In addition to the 'file' command, there is also the 'run' command |
92 |
> that will open a file and execute its contents. I can't think of |
93 |
> any use for this, but better to be safe than sorry. Since most |
94 |
> students^H^H^H^H^H^H users are smarter than me, they will most |
95 |
> likely think of one. |
96 |
> |
97 |
> IMMEDIATE STEPS TO TAKE: |
98 |
> |
99 |
> Step 1: TURN OFF PRINTING NOW! Kill the LPD print spooler |
100 |
> server or the lpsched print spooling server: |
101 |
> |
102 |
> pkill lpd |
103 |
> OR |
104 |
> killall lpd |
105 |
> OR |
106 |
> ps -e |grep lpd; find the PID of the lpd process |
107 |
> and do: kill PID |
108 |
> |
109 |
> ps -e |grep lpsched; find the PID of the lpsched process |
110 |
> and do: kill PID |
111 |
> |
112 |
> Step 2: Update to the latest version of GhostScript that has |
113 |
> -dSAFER implemented. |
114 |
> |
115 |
> Step 3: Modify the gs_init.ps file. It is usually in: |
116 |
> |
117 |
> /usr/share/ghostscript/XXX/lib/gs_init.ps |
118 |
> |
119 |
> where XXX is the version of GhostScript. |
120 |
> |
121 |
> The following changes will disable 'file' and 'run' when |
122 |
> when gs is executed with -dSAFER. |
123 |
> |
124 |
> 1. open the gs_init.ps file. |
125 |
> 2. Look for the following lines and add the lines |
126 |
> with - in front of them. |
127 |
> |
128 |
> % If we want a "safer" system, disable some obvious ways to cause havoc. |
129 |
> SAFER not { (%END SAFER) .skipeof } if |
130 |
> /file |
131 |
> { dup (r) eq 2 index (%pipe*) .stringmatch not and |
132 |
> 2 index (%std*) .stringmatch or |
133 |
> { file } |
134 |
> { /invalidfileaccess signalerror } |
135 |
> ifelse |
136 |
> } .bind odef |
137 |
> - /file { /invalidfileaccess signalerror } odef |
138 |
> - /run { /invalidfileaccess signalerror } odef |
139 |
> /renamefile { /invalidfileaccess signalerror } odef |
140 |
> /deletefile { /invalidfileaccess signalerror } odef |
141 |
> /putdeviceprops |
142 |
> |
143 |
> Step 4: make sure that all the conversion scripts use gs -dSAFER |
144 |
> |
145 |
> Step 5: (for the VERY VERY paranoid sysamin) |
146 |
> Comment out the 'SAFER not ...' line; this will |
147 |
> ALWAYS run GhostScript in SAFER mode. |
148 |
> |
149 |
> Step 6: |
150 |
> save the modified gs_init.ps file. |
151 |
> |
152 |
> Step 7: |
153 |
> Try executing the 'testpr' file again. It should fail. |
154 |
> |
155 |
> Step 8: |
156 |
> Renable printing and try printing the 'testpr' file |
157 |
> to a printer that requires raster conversion. |
158 |
> Your job should fail with a GhostScript error. |
159 |
> |
160 |
> Note: there are also other functions in the gs_init file that |
161 |
> seem to allow opening and reading of files. I am not an expert |
162 |
> on PostScript, so I am not in a position to comment on them. |
163 |
> |
164 |
> Patrick Powell Astart Technologies, |
165 |
> papowell@××××××.com 9475 Chesapeake Drive, Suite D, |
166 |
> Network and System San Diego, CA 92123 |
167 |
> Consulting 858-874-6543 FAX 858-279-8424 |
168 |
> LPRng - Print Spooler (http://www.lprng.com) |
169 |
> |
170 |
> ----------------------------------------------------------------------------- |
171 |
> YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST |
172 |
> The address you post from MUST be your subscription address |
173 |
> |
174 |
> If you need help, send email to majordomo@×××××.com (or lprng-requests |
175 |
> or lprng-digest-requests) with the word 'help' in the body. For the impatient, |
176 |
> to subscribe to a list with name LIST, send mail to majordomo@×××××.com |
177 |
> with: | example: |
178 |
> subscribe LIST <mailaddr> | subscribe lprng-digest myname@××××.org |
179 |
> unsubscribe LIST <mailaddr> | unsubscribe lprng myname@××××.org |
180 |
> |
181 |
> If you have major problems, send email to papowell@××××××.com with the word |
182 |
> LPRNGLIST in the SUBJECT line. |
183 |
> ----------------------------------------------------------------------------- |
184 |
> |
185 |
> ----- End forwarded message ----- |
186 |
> |
187 |
> -- |
188 |
> To unsubscribe from this list: send a mail with the subject "unsubscribe |
189 |
> rock-linux" to <minimalist@×××××××××.org>. For more information about ROCK |
190 |
> Linux have a look at <http://www.rocklinux.org/>. |