[gentoo-dev] [Fwd: [rock-linux] [papowell@astart.com: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access]]

[gentoo-dev] [Fwd: [rock-linux] [papowell@astart.com: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access]]

[slik]

Nikolaus Filus wrote:
> 
> Hi everybody,
> 
> I just got the following mail on th LPRng mailinglist. Maybe it's important
> to all of us, even not running LPRng, but ghostscript.
> 
> Nikolaus
> 
> ----- Forwarded message from User Papowell <papowell@astart.com> -----
> 
> Date: Tue, 18 Sep 2001 08:06:34 -0700 (PDT)
> From: User Papowell <papowell@astart.com>
> To: lprng@lprng.com
> Subject: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access
> 
> Summary:   Printing a file can cause a system compromise
> 
> Reason:    GhostScript can open and read files on system
>    (-dSAFER may not disable file open)
> 
> Systems Impacted:  just about everything that uses GhostScript (or
> some other PostScript interpreters) for PostScript document
> conversion. This includes the various MagicFilters, Transcript,
> LPRng's ifhp, RedHats rh-printfilter.  These are running on Linux,
> BSD, System V, possibly Sun Microsystems, HP, etc., etc., etc.
> Note: it is possible that the same problem exists on Microsoft
> systems as well if they are performing PostScript to conversions.
> 
> Detailed Explanation:
> 
> GhostScript is used to convert PostScript files to formats compatible
> with printers and other devices.  It is used as a utility by a
> large number of 'print filters', including MagicFilters, format
> converters, LPRng's IFHP filter, RedHat's rh-printfilter, Transcript,
> etc., etc.
> 
> The PostScript 'file' operator opens a file which can then be
> read and printed.  Here is a sample of how this could be done:
> 
> Save these lines to 'testpr':
> 
> %!
> % Code extracts from PostScript Language Tutorial and Cookbook
> %  Copyright 1986, Adobe Systems.
> 
> % set up printing
> /finr /Helvetica findfont 10 scalefont def
> /shwr {moveto finr setfont show} def
> % do the dirty work here
> (/etc/passwd) (r) file
> % read a single line
> 100 string readline pop 45 292 shwr showpage
> 
> Now run this using GhostScript:
> 
> #> gs testpr
> 
> If you see the first line of the /etc/passwd file displayed then
> you have a possible compromise.  If GhostScript is used to convert
> PostScript to PCL or some other non-PostScript format then you can
> print copies of the various files of interest.
> 
> Now try this with -dSAFER
> 
> #> gs -dSAFER testpr
> 
> If you see the same output,  then the -dSAFER is not preventing
> file access.
> 
> MORE BAD NEWS:
> 
> Now, you might think this is the worst that can happen...
> Nope.  I just discovered the following:
> 
> a)  GhostScript can open files for writing as well as reading.
> b)  Some vendors run their print filters as ROOT.
> c)  Some do not have -dSAFER enabled.
> 
> You might want to think about:
> 
>   (/etc/shadow) (w) file (root:::::) writeline
> 
> There... did your blood run cold?  Or are you rushing out to
> try this on your local system to see if the Sysadmin has fixed
> this?  (Note for sysadmin: there is no 'writeline' primitive,
> but they will whip one up REAL SOON NOW, so get moving.)
> 
> AND A POSSIBLE ADDITIONAL EXPLOIT:
> 
> In addition to the 'file' command,  there is also the 'run' command
> that will open a file and execute its contents.  I can't think of
> any use for this, but better to be safe than sorry.  Since most
> students^H^H^H^H^H^H users are smarter than me,  they will most
> likely think of one.
> 
> IMMEDIATE STEPS TO TAKE:
> 
> Step 1:  TURN OFF PRINTING NOW!  Kill the LPD print spooler
>    server or the lpsched print spooling server:
> 
>     pkill lpd
>       OR
>     killall lpd
>       OR
>     ps -e |grep lpd;   find the PID of the lpd process
>                        and do:  kill PID
> 
>     ps -e |grep lpsched;   find the PID of the lpsched process
>        and do:  kill PID
> 
> Step 2: Update to the latest version of GhostScript that has
>    -dSAFER implemented.
> 
> Step 3: Modify the gs_init.ps file.  It is usually in:
> 
> /usr/share/ghostscript/XXX/lib/gs_init.ps
> 
> where XXX is the version of GhostScript.
> 
> The following changes will disable 'file' and 'run' when
> when gs is executed with -dSAFER.
> 
> 1. open the gs_init.ps file.
> 2. Look for the following lines and add the lines
>    with - in front of them.
> 
>   % If we want a "safer" system, disable some obvious ways to cause havoc.
>   SAFER not { (%END SAFER) .skipeof } if
>   /file
>    { dup (r) eq 2 index (%pipe*) .stringmatch not and
>      2 index (%std*) .stringmatch or
>       { file }
>       { /invalidfileaccess signalerror }
>      ifelse
>    } .bind odef
> - /file { /invalidfileaccess signalerror } odef
> - /run { /invalidfileaccess signalerror } odef
>   /renamefile { /invalidfileaccess signalerror } odef
>   /deletefile { /invalidfileaccess signalerror } odef
>   /putdeviceprops
> 
> Step 4: make sure that all the conversion scripts use gs -dSAFER
> 
> Step 5: (for the VERY VERY paranoid sysamin)
>    Comment out the 'SAFER not ...' line; this will
>    ALWAYS run GhostScript in SAFER mode.
> 
> Step 6:
>    save the modified gs_init.ps file.
> 
> Step 7:
>    Try executing the 'testpr' file again.  It should fail.
> 
> Step 8:
>    Renable printing and try printing the 'testpr' file
>    to a printer that requires raster conversion.
>    Your job should fail with a GhostScript error.
> 
> Note:  there are also other functions in the gs_init file that
> seem to allow opening and reading of files.  I am not an expert
> on PostScript,  so I am not in a position to comment on them.
> 
> Patrick Powell                 Astart Technologies,
> papowell@astart.com            9475 Chesapeake Drive, Suite D,
> Network and System             San Diego, CA 92123
>   Consulting                   858-874-6543 FAX 858-279-8424
> LPRng - Print Spooler (http://www.lprng.com)
> 
> -----------------------------------------------------------------------------
> YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST
> The address you post from MUST be your subscription address
> 
> If you need help, send email to majordomo@lprng.com (or lprng-requests
> or lprng-digest-requests) with the word 'help' in the body.  For the impatient,
> to subscribe to a list with name LIST,  send mail to majordomo@lprng.com
> with:                           | example:
> subscribe LIST <mailaddr>       |  subscribe lprng-digest myname@host.org
> unsubscribe LIST <mailaddr>     |  unsubscribe lprng myname@host.org
> 
> If you have major problems,  send email to papowell@astart.com with the word
> LPRNGLIST in the SUBJECT line.
> -----------------------------------------------------------------------------
> 
> ----- End forwarded message -----
> 
> --
> To unsubscribe from this list: send a mail with the subject "unsubscribe
> rock-linux" to <minimalist@rocklinux.org>. For more information about ROCK
> Linux have a look at <http://www.rocklinux.org/>.