Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

GhostScript Vulnerability Clarification - CVE-2010-1869
From: Rodrigo Branco <rbranco () checkpoint com>
Date: Mon, 17 May 2010 06:10:11 -0700

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to clarify this issue.   Here is our advisory and 
the specific timeline:


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

GhostScript 8.70 and lower stack overflow


INTRODUCTION

Ghostscript is an interpreter for the PostScript language and the Portable Document Format (PDF).

There exists a vulnerability within the parser function that when properly exploited can lead to remote comprimise of 
the vulnerable system, both thru client-side exploitation (using applications like Imagemagick) or server-side 
exploitation (using cups printer daemon). For both cases
there is a working exploit to be shared with interested parts.

This vulnerability was confirmed in the following GhostScript versions:

8.70
8.64


DETAILS

A remote attacker could entice a user to open a specially crafted PostScript file (client-side exploitation scenario) 
or just print the file (server-sie exploitation scenario), possibly resulting in the execution of arbitrary code with 
the privileges of the user running the application or the printer daemon.

Different Unix vendors and Linux distributions are vulnerable to that due to the usage of the vulnerable GhostScript 
version.

The following test was made on a PCBSD 8.0 default install.  There is a working exploit for the vulnerability to test 
the exploitability in different systems.  Propolice protection mitigates this vulnerability.

$ gs --version
8.70
$ gdb gs
...
...
(gdb) r crash.ps
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 29201140 (LWP 100125)]
0x2897774e in memcpy () from /lib/libc.so.7
(gdb) bt
#0  0x2897774e in memcpy () from /lib/libc.so.7
#1  0x28178cb4 in scan_token () from /usr/local/lib/libgs.so.8
#2  0x41414141 in ?? ()
(gdb) x/i $pc
0x2897774e <memcpy+30>: repz movsl %ds:(%esi),%es:(%edi)
(gdb) i r $esi $edi
esi            0xbfbfd118       -1077948136
edi            0x414142d9       1094795993

We can use the Cupsd to trigger the vulnerability in the gs process.

$ lp -d hpdskjet crash.pdf
$ grep crashed /var/log/cups/error_log
D [08/Mar/2010:18:01:10 -0500] [Job 11] PID 33428 (gs) crashed on signal 11!


WORKAROUND

Upgrade to GhostScript version 8.71.


TIMELINE

14/Jan - Vulnerability discovered
February and March - Communications with the Vendor (Artifex)
28/Mar - First request for a CVE entry
12/Apr - Communication with RedHat and other vendors (Ubuntu, FreeBSD and others)
10/May - CVE assigned (CVE-2010-1869)
11/May - Check Point issued an IPS update to protect its customers
12/May - After seen the Check Point advisory, Dan Rosenberg published the issue to the mailing lists
12/May - Clarified with Dan that the vulnerabilities are the same.

CREDITS

This vulnerability was discovered and exploited by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team 
(VDT).



Best Regards,

Rodrigo.

--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • GhostScript Vulnerability Clarification - CVE-2010-1869 Rodrigo Branco (May 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault