GhostScript Vulnerability Clarification - CVE-2010-1869

2010-05-18T00:00:00
ID SECURITYVULNS:DOC:23880
Type securityvulns
Reporter Securityvulns
Modified 2010-05-18T00:00:00

Description

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to clarify this issue. Here is our advisory and the specific timeline:

Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/

GhostScript 8.70 and lower stack overflow

INTRODUCTION

Ghostscript is an interpreter for the PostScript language and the Portable Document Format (PDF).

There exists a vulnerability within the parser function that when properly exploited can lead to remote comprimise of the vulnerable system, both thru client-side exploitation (using applications like Imagemagick) or server-side exploitation (using cups printer daemon). For both cases there is a working exploit to be shared with interested parts.

This vulnerability was confirmed in the following GhostScript versions:

8.70 8.64

DETAILS

A remote attacker could entice a user to open a specially crafted PostScript file (client-side exploitation scenario) or just print the file (server-sie exploitation scenario), possibly resulting in the execution of arbitrary code with the privileges of the user running the application or the printer daemon.

Different Unix vendors and Linux distributions are vulnerable to that due to the usage of the vulnerable GhostScript version.

The following test was made on a PCBSD 8.0 default install. There is a working exploit for the vulnerability to test the exploitability in different systems. Propolice protection mitigates this vulnerability.

$ gs --version 8.70 $ gdb gs ... ... (gdb) r crash.ps ... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 29201140 (LWP 100125)] 0x2897774e in memcpy () from /lib/libc.so.7 (gdb) bt

0 0x2897774e in memcpy () from /lib/libc.so.7

1 0x28178cb4 in scan_token () from /usr/local/lib/libgs.so.8

2 0x41414141 in ?? ()

(gdb) x/i $pc 0x2897774e <memcpy+30>: repz movsl %ds:(%esi),%es:(%edi) (gdb) i r $esi $edi esi 0xbfbfd118 -1077948136 edi 0x414142d9 1094795993

We can use the Cupsd to trigger the vulnerability in the gs process.

$ lp -d hpdskjet crash.pdf $ grep crashed /var/log/cups/error_log D [08/Mar/2010:18:01:10 -0500] [Job 11] PID 33428 (gs) crashed on signal 11!

WORKAROUND

Upgrade to GhostScript version 8.71.

TIMELINE

14/Jan - Vulnerability discovered February and March - Communications with the Vendor (Artifex) 28/Mar - First request for a CVE entry 12/Apr - Communication with RedHat and other vendors (Ubuntu, FreeBSD and others) 10/May - CVE assigned (CVE-2010-1869) 11/May - Check Point issued an IPS update to protect its customers 12/May - After seen the Check Point advisory, Dan Rosenberg published the issue to the mailing lists 12/May - Clarified with Dan that the vulnerabilities are the same.

CREDITS

This vulnerability was discovered and exploited by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,

Rodrigo.

-- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies