|Summary:||forceput in DefineResource still accessible after CVE-2019-6116|
|Component:||Security (public)||Assignee:||Chris Liddell (chrisl) <chris.liddell>|
|Status:||RESOLVED FIXED||QA Contact:||gs-security|
|Priority:||P4||CC:||carnil, dr, jsmeix, mosvald, omarandemad, till.kamppeter|
|Attachments:||script that gets hold of forceput from DefineResource|
Description Cedric 2019-02-07 16:37:34 UTC
Created attachment 16873 [details] script that gets hold of forceput from DefineResource Hi, I believe we discussed it over e-mail, but I would like to keep track on the fixing of some missing protections for some additional vectors, using similar techniques as the ones described in CVE-2019-6116. At least DefineResource is still vulnerable : # ./bin/gs -dSAFER -sDEVICE=ppmraw -f attack-DefineResource.ps GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. (PoC: start) (ERROR HANDLER: undefined) (HANDLE: typecheck) GOT SOMETHING BAD! : .forceput == Exploit known, executing -- Trying to get the first line from /etc/passwd (root:x:0:0:root:/root:/bin/bash) This was tested against current master (8d0253fdeb73bdb021f665e7c5478d6e1f41898e) Thanks! Cedric
Comment 1 Chris Liddell (chrisl) 2019-02-20 15:12:47 UTC
Fixed in: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01 I have a more comprehensive change which I was planning that would have fixed this, but it *might* be too risky to go into the next release, so we'll go with the fix you originally suggested for now.
Comment 2 Cedric 2019-02-22 10:03:22 UTC
Hi Chris, (Sorry for late reply. Somehow, I didn't receive a mail regarding the update.) I tried the fix, it actually doesn't change : still vulnerable.
Comment 3 Chris Liddell (chrisl) 2019-02-22 12:32:06 UTC
Yes, I see - I must have tested with the wrong executable.... There's an extra level of proc that needs protected: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a On the notification e-mails, we've been having intermittent problems with bugzilla throwing strange errors trying to send mails (hopefully, it works this time!).
Comment 4 Cedric 2019-02-22 14:56:52 UTC
Looks good! This is CVE-2019-3838 Would there be any preference for disclosure ?
Comment 5 Chris Liddell (chrisl) 2019-02-22 15:11:54 UTC
(In reply to Cedric from comment #4) > Looks good! > > This is CVE-2019-3838 > > Would there be any preference for disclosure ? I would prefer it to stay private for a couple of weeks. If you could add a comment to CVE pointing to the two commits, that would be great, too.
Comment 6 Cedric 2019-02-22 15:44:38 UTC
(In reply to Chris Liddell (chrisl) from comment #5) > I would prefer it to stay private for a couple of weeks. If you could add a > comment to CVE pointing to the two commits, that would be great, too. During the request for the CVE creation, I forwarded links to both commits, Also the Red Hat bugzilla will contain [when it gets public] a comment with both of them. I think that should cover it. Regarding the embargo: 2 weeks looks good. I'd like to coordinate with BZ 700585 as well, so that we can release both fix at the same time. [btw: feel free to also delete the attached PoC before publishing]