From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: X-Spam-Status: No, score=0.5 required=5.0 tests=DATE_IN_PAST_06_12, DMARC_MISSING,FREEMAIL_FROM,INVALID_DATE,MAILING_LIST_MULTI autolearn=no autolearn_force=no version=4.0.0 Received: from fepout2.telus.net ([199.185.220.237] helo=priv-edtnes04-hme0.telusplanet.net) by cvs.gentoo.org with esmtp (Exim 3.30 #1) id 15jaWn-0007S3-00 for gentoo-dev@cvs.gentoo.org; Wed, 19 Sep 2001 00:08:09 -0600 Received: from telusplanet.net ([161.184.23.111]) by priv-edtnes04-hme0.telusplanet.net (InterMail vM.4.01.03.10 201-229-121-110) with ESMTP id <20010919060658.ZNBS26571.priv-edtnes04-hme0.telusplanet.net@telusplanet.net> for ; Wed, 19 Sep 2001 00:06:58 -0600 Message-ID: <3BA8360B.9C5B6466@telusplanet.net> From: slik@telusplanet.net X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.5 i686) X-Accept-Language: en MIME-Version: 1.0 To: gentoo-dev@cvs.gentoo.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [gentoo-dev] [Fwd: [rock-linux] [papowell@astart.com: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access]] Sender: gentoo-dev-admin@cvs.gentoo.org Errors-To: gentoo-dev-admin@cvs.gentoo.org X-BeenThere: gentoo-dev@cvs.gentoo.org X-Mailman-Version: 2.0 Precedence: bulk Reply-To: gentoo-dev@cvs.gentoo.org List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux development list List-Unsubscribe: , List-Archive: Date: Wed Sep 19 00:09:02 2001 X-Original-Date: Wed, 19 Sep 2001 00:07:07 -0600 X-Archives-Salt: a064f49c-6cee-4d31-8331-2e5032d4e99d X-Archives-Hash: 1f937eb947dc60398d7ddf40622742f9 Nikolaus Filus wrote: > > Hi everybody, > > I just got the following mail on th LPRng mailinglist. Maybe it's important > to all of us, even not running LPRng, but ghostscript. > > Nikolaus > > ----- Forwarded message from User Papowell ----- > > Date: Tue, 18 Sep 2001 08:06:34 -0700 (PDT) > From: User Papowell > To: lprng@lprng.com > Subject: LPRng: SECURITY BULLETIN - GhostScript -dSAFER does not prevent file access > > Summary: Printing a file can cause a system compromise > > Reason: GhostScript can open and read files on system > (-dSAFER may not disable file open) > > Systems Impacted: just about everything that uses GhostScript (or > some other PostScript interpreters) for PostScript document > conversion. This includes the various MagicFilters, Transcript, > LPRng's ifhp, RedHats rh-printfilter. These are running on Linux, > BSD, System V, possibly Sun Microsystems, HP, etc., etc., etc. > Note: it is possible that the same problem exists on Microsoft > systems as well if they are performing PostScript to conversions. > > Detailed Explanation: > > GhostScript is used to convert PostScript files to formats compatible > with printers and other devices. It is used as a utility by a > large number of 'print filters', including MagicFilters, format > converters, LPRng's IFHP filter, RedHat's rh-printfilter, Transcript, > etc., etc. > > The PostScript 'file' operator opens a file which can then be > read and printed. Here is a sample of how this could be done: > > Save these lines to 'testpr': > > %! > % Code extracts from PostScript Language Tutorial and Cookbook > % Copyright 1986, Adobe Systems. > > % set up printing > /finr /Helvetica findfont 10 scalefont def > /shwr {moveto finr setfont show} def > % do the dirty work here > (/etc/passwd) (r) file > % read a single line > 100 string readline pop 45 292 shwr showpage > > Now run this using GhostScript: > > #> gs testpr > > If you see the first line of the /etc/passwd file displayed then > you have a possible compromise. If GhostScript is used to convert > PostScript to PCL or some other non-PostScript format then you can > print copies of the various files of interest. > > Now try this with -dSAFER > > #> gs -dSAFER testpr > > If you see the same output, then the -dSAFER is not preventing > file access. > > MORE BAD NEWS: > > Now, you might think this is the worst that can happen... > Nope. I just discovered the following: > > a) GhostScript can open files for writing as well as reading. > b) Some vendors run their print filters as ROOT. > c) Some do not have -dSAFER enabled. > > You might want to think about: > > (/etc/shadow) (w) file (root:::::) writeline > > There... did your blood run cold? Or are you rushing out to > try this on your local system to see if the Sysadmin has fixed > this? (Note for sysadmin: there is no 'writeline' primitive, > but they will whip one up REAL SOON NOW, so get moving.) > > AND A POSSIBLE ADDITIONAL EXPLOIT: > > In addition to the 'file' command, there is also the 'run' command > that will open a file and execute its contents. I can't think of > any use for this, but better to be safe than sorry. Since most > students^H^H^H^H^H^H users are smarter than me, they will most > likely think of one. > > IMMEDIATE STEPS TO TAKE: > > Step 1: TURN OFF PRINTING NOW! Kill the LPD print spooler > server or the lpsched print spooling server: > > pkill lpd > OR > killall lpd > OR > ps -e |grep lpd; find the PID of the lpd process > and do: kill PID > > ps -e |grep lpsched; find the PID of the lpsched process > and do: kill PID > > Step 2: Update to the latest version of GhostScript that has > -dSAFER implemented. > > Step 3: Modify the gs_init.ps file. It is usually in: > > /usr/share/ghostscript/XXX/lib/gs_init.ps > > where XXX is the version of GhostScript. > > The following changes will disable 'file' and 'run' when > when gs is executed with -dSAFER. > > 1. open the gs_init.ps file. > 2. Look for the following lines and add the lines > with - in front of them. > > % If we want a "safer" system, disable some obvious ways to cause havoc. > SAFER not { (%END SAFER) .skipeof } if > /file > { dup (r) eq 2 index (%pipe*) .stringmatch not and > 2 index (%std*) .stringmatch or > { file } > { /invalidfileaccess signalerror } > ifelse > } .bind odef > - /file { /invalidfileaccess signalerror } odef > - /run { /invalidfileaccess signalerror } odef > /renamefile { /invalidfileaccess signalerror } odef > /deletefile { /invalidfileaccess signalerror } odef > /putdeviceprops > > Step 4: make sure that all the conversion scripts use gs -dSAFER > > Step 5: (for the VERY VERY paranoid sysamin) > Comment out the 'SAFER not ...' line; this will > ALWAYS run GhostScript in SAFER mode. > > Step 6: > save the modified gs_init.ps file. > > Step 7: > Try executing the 'testpr' file again. It should fail. > > Step 8: > Renable printing and try printing the 'testpr' file > to a printer that requires raster conversion. > Your job should fail with a GhostScript error. > > Note: there are also other functions in the gs_init file that > seem to allow opening and reading of files. I am not an expert > on PostScript, so I am not in a position to comment on them. > > Patrick Powell Astart Technologies, > papowell@astart.com 9475 Chesapeake Drive, Suite D, > Network and System San Diego, CA 92123 > Consulting 858-874-6543 FAX 858-279-8424 > LPRng - Print Spooler (http://www.lprng.com) > > ----------------------------------------------------------------------------- > YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST > The address you post from MUST be your subscription address > > If you need help, send email to majordomo@lprng.com (or lprng-requests > or lprng-digest-requests) with the word 'help' in the body. For the impatient, > to subscribe to a list with name LIST, send mail to majordomo@lprng.com > with: | example: > subscribe LIST | subscribe lprng-digest myname@host.org > unsubscribe LIST | unsubscribe lprng myname@host.org > > If you have major problems, send email to papowell@astart.com with the word > LPRNGLIST in the SUBJECT line. > ----------------------------------------------------------------------------- > > ----- End forwarded message ----- > > -- > To unsubscribe from this list: send a mail with the subject "unsubscribe > rock-linux" to . For more information about ROCK > Linux have a look at .