Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23880
HistoryMay 18, 2010 - 12:00 a.m.

GhostScript Vulnerability Clarification - CVE-2010-1869

2010-05-1800:00:00
vulners.com
16

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to clarify this issue. Here is our advisory and the specific timeline:

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

GhostScript 8.70 and lower stack overflow

INTRODUCTION

Ghostscript is an interpreter for the PostScript language and the Portable Document Format (PDF).

There exists a vulnerability within the parser function that when properly exploited can lead to remote comprimise of the vulnerable system, both thru
client-side exploitation (using applications like Imagemagick) or server-side exploitation (using cups printer daemon). For both cases
there is a working exploit to be shared with interested parts.

This vulnerability was confirmed in the following GhostScript versions:

8.70
8.64

DETAILS

A remote attacker could entice a user to open a specially crafted PostScript file (client-side exploitation scenario) or just print the file (server-sie
exploitation scenario), possibly resulting in the execution of arbitrary code with the privileges of the user running the application or the printer daemon.

Different Unix vendors and Linux distributions are vulnerable to that due to the usage of the vulnerable GhostScript version.

The following test was made on a PCBSD 8.0 default install. There is a working exploit for the vulnerability to test the exploitability in different systems.
Propolice protection mitigates this vulnerability.

$ gs --version
8.70
$ gdb gs


(gdb) r crash.ps

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 29201140 (LWP 100125)]
0x2897774e in memcpy () from /lib/libc.so.7
(gdb) bt
#0 0x2897774e in memcpy () from /lib/libc.so.7
#1 0x28178cb4 in scan_token () from /usr/local/lib/libgs.so.8
#2 0x41414141 in ?? ()
(gdb) x/i $pc
0x2897774e <memcpy+30>: repz movsl %ds:(%esi),%es:(%edi)
(gdb) i r $esi $edi
esi 0xbfbfd118 -1077948136
edi 0x414142d9 1094795993

We can use the Cupsd to trigger the vulnerability in the gs process.

$ lp -d hpdskjet crash.pdf
$ grep crashed /var/log/cups/error_log
D [08/Mar/2010:18:01:10 -0500] [Job 11] PID 33428 (gs) crashed on signal 11!

WORKAROUND

Upgrade to GhostScript version 8.71.

TIMELINE

14/Jan - Vulnerability discovered
February and March - Communications with the Vendor (Artifex)
28/Mar - First request for a CVE entry
12/Apr - Communication with RedHat and other vendors (Ubuntu, FreeBSD and others)
10/May - CVE assigned (CVE-2010-1869)
11/May - Check Point issued an IPS update to protect its customers
12/May - After seen the Check Point advisory, Dan Rosenberg published the issue to the mailing lists
12/May - Clarified with Dan that the vulnerabilities are the same.

CREDITS

This vulnerability was discovered and exploited by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).

Best Regards,

Rodrigo.


Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Related for SECURITYVULNS:DOC:23880