[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : ghostscript Vulnerability

Title: ghostscript Vulnerability
Released by: CERT
Date: 31st August 1995
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





=============================================================================

CERT(*) Advisory CA-95:10

Original issue date: August 31, 1995

Last revised: September 23, 1997

                Updated Copyright information   



              A complete revision history is at the end of this file.



Topic:  ghostscript Vulnerability

- -----------------------------------------------------------------------------



             A large portion of the technical content of this

             advisory was provided by the DFN-CERT and NASIRC

             response teams, and is used with their permission.



There is a vulnerability in older versions of ghostscript (gs) that enables

users to execute commands and thus modify files. This problem involves the

- -dSAFER option and is present in all versions of ghostscript from 2.6 through

3.22 beta.



We recommend that you apply the solution in Section III below to fix the

- -dSAFER PostScript code or install the latest version of ghostscript (version

4.01). In both cases, we urge you to make -dSAFER the default mode for

all versions of ghostscript starting with version 2.6.



We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.



- -----------------------------------------------------------------------------



I.   Background



     The PostScript language, which was designed for the expression of

     graphical data, is widely used for transferring images and preformatted

     text across the Internet. The language includes primitives for file

     operations, which were intended to be useful in the expression of images.

     Unfortunately the operations can be abused by people intentionally

     embedding commands within an otherwise harmless image so that when

     displaying that image the PostScript viewer may perform malicious

     file creations or deletions.



     This is a potentially serious problem because many images transferred

     on the World Wide Web are sent in PostScript. For example, a malicious

     person could install a booby-trapped image on a web-page, buried among

     useful or interesting data.



     The viewer "ghostscript," a PostScript interpreter, recognizes the

     command-line option: "-dSAFER". This option is intended to disable

     the file operations and the %pipe PostScript operator that could be

     abused to do damage. This option is intended to protect you from this

     type of sabotage when viewing images from untrusted sources.



II.  Problem Description



     Problems exist with the ghostscript program, which supports the kind

     of commands discussed above.



     Older versions of ghostscript do not completely disable the pipe operator

     that can be used execute commands that can modify files. Therefore the

     option -dSAFER does not provide full protection.



     This problem is present in all versions of ghostscript between

     2.6 (when the %pipe operator was added) and 3.22beta (when a fix

     was made).



III. Impact



     Attackers who have inserted malicious code into a PostScript file can

     cause commands to be executed and files to be modified on any system

     where that PostScript file is viewed with ghostscript.



IV. Solutions



     We recommend either fixing the -dSAFER PostScript code or installing

     version 4.01 of ghostscript (see Sections IV.A and IV.B). In addition,

     we urge you to enable the -dSAFER option as the default (see Section

     IV.C).



     A. Fixing the -dSAFER PostScript code



        The following fix is in the form of "diff" output, which is

        suitable for use with the GNU patch program.  This patch brings the

        code into conformance with the version of gs_init.ps distributed

        with the latest version of ghostscript (4.01) and can be

        applied to the GNU versions 2.6, 2.6.1, and 2.6.2.  The file

        to be patched is in the ghostscript library. As an example,

        gs_init.ps could be installed in:



          /usr/local/lib/ghostscript/gs_init.ps



        Here is the patch. Please see the Updates section at the end of this

        file for cautions and for corrections to be applied in some situations.



- --------------------------------cut here--------------------------------------



*** gs_init.ps.orig     Fri Aug 25 10:42:51 1995

- --- gs_init.ps  Fri Aug 25 11:16:24 1995

***************

*** 302,308 ****

  % If we want a "safer" system, disable some obvious ways to cause havoc.

  SAFER not { (%END SAFER) .skipeof } if

  /file

!  { dup (r) eq

      { file }

      { /invalidfileaccess signalerror }

     ifelse

- --- 302,308 ----

  % If we want a "safer" system, disable some obvious ways to cause havoc.

  SAFER not { (%END SAFER) .skipeof } if

  /file

! { dup (r) eq 2 index (%pipe*) .stringmatch not and

      { file }

      { /invalidfileaccess signalerror }

     ifelse

- --------------------------------cut here--------------------------------------



        The key is to change the line that says:



          { dup (r) eq



        to one that says:



          { dup (r) eq 2 index (%pipe*) .stringmatch not and



        Here are the relevant lines in the gs_init.ps file for version 2.6.2

        of ghostscript before the patch:



302  % If we want a "safer" system, disable some obvious ways to cause havoc.

303  SAFER not { (%END SAFER) .skipeof } if

304  /file

305   { dup (r) eq

306      { file }

307      { /invalidfileaccess signalerror }

308     ifelse

309   } bind odef

310  /renamefile { /invalidfileaccess signalerror } odef

311  /deletefile { /invalidfileaccess signalerror } odef

312  %END SAFER



        Here are the same lines after the patch has been applied:



302  % If we want a "safer" system, disable some obvious ways to cause havoc.

303  SAFER not { (%END SAFER) .skipeof } if

304  /file

305  { dup (r) eq 2 index (%pipe*) .stringmatch not and

306      { file }

307      { /invalidfileaccess signalerror }

308     ifelse

309   } bind odef

310  /renamefile { /invalidfileaccess signalerror } odef

311  /deletefile { /invalidfileaccess signalerror } odef

312  %END SAFER





     B. Installing version 4.01



        You may wish to install Aladdin Ghostscript version 4.01.

        The latest version of ghostscript is version 4.01 and

        is available at the locations noted below.



        This version of ghostscript is provided by Aladdin Enterprises and

        is subject to their licensing agreements.  Please read the "Aladdin

        Ghostscript Free Public License" (included in the source code

        distribution) which differs from the "GNU Public License."



        Please note that this version is not the GNU version.  The latest GNU

        version, which is version 2.6.2, does not fix this problem.



          http://ftp.cs.wisc.edu/ghost/aladdin/ghostscript-4.01.tar.gz

                MD5=21a0fe505bbaf75e2e6aeb4e07689fb6



          http://ftp.cs.wisc.edu/ghost/aladdin/ghostscript-4.01jpeg.tar.gz

                MD5=5360e0aa47b415daa44623196f7e6160



          http://ftp.cs.wisc.edu/ghost/aladdin/ghostscript-4.01zlib.tar.gz

                MD5=8eb230a39275b0759f06fa100250fc00



        Optionally, you may need the font files for this release.  They are

        available at these locations:



         http://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-std-4.01.tar.gz

                MD5=1e0fe2149affd80deaaae144227049b9



         http://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-other-4.01.tar.gz

                MD5=afe46faf7fde6518ae004a7e8d9a4af4



     C. Making -dSAFER the default



        To make -dSAFER the default mode for ghostscript for all versions

        of ghostscript starting with version 2.6, the file gs_init.ps must

        again be changed.  The PostScript commands which check the actual

        interpreted command are collected in one single if statement in the

        gs_init.ps file. By commenting out the begin and end lines of this

        if statement, the check is always applied meaning that the -dSAFER

        option is always enabled.



        NOTE: If you make this change, all file and %pipe operations are

        disabled and cannot be re-enabled.



        The lines which must be changed are:



              303  SAFER not { (%END SAFER) .skipeof } if

        and

              312  %END SAFER



        These two lines should be commented out and made to look like this:



              303  % SAFER not { (%END SAFER) .skipeof } if

        and

              312  % %END SAFER



        If you are using ghostscript 2.6.2, the code will look like the

        following when both patches noted above are installed:



302  % If we want a "safer" system, disable some obvious ways to cause havoc.

303  % SAFER not { (%END SAFER) .skipeof } if

304  /file

305  { dup (r) eq 2 index (%pipe*) .stringmatch not and

306      { file }

307      { /invalidfileaccess signalerror }

308     ifelse

309   } bind odef

310  /renamefile { /invalidfileaccess signalerror } odef

311  /deletefile { /invalidfileaccess signalerror } odef

312  % %END SAFER





- ---------------------------------------------------------------------------

The CERT Coordination Center staff thanks the DFN-CERT and NASIRC response

teams for providing a large portion of the technical content of this advisory,

and we thank Wolfgang Ley for his assistance.

- ---------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).



If you wish to send sensitive incident or vulnerability information to

CERT staff by electronic mail, we strongly advise that the email be

encrypted.  The CERT Coordination Center can support a shared DES key, PGP

(public key available via anonymous FTP on info.cert.org), or PEM (contact

CERT staff for details).



Internet email: cert@cert.org

Telephone: +1 412-268-7090 (24-hour hotline)

           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),

           and are on call for emergencies during other hours.

Fax: +1 412-268-6989



Postal address:  CERT Coordination Center

                 Software Engineering Institute

                 Carnegie Mellon University

                 Pittsburgh, PA 15213-3890

                 USA



CERT advisories and bulletins are posted on the USENET newsgroup

comp.security.announce. If you would like to have future advisories and

bulletins mailed to you or to a mail exploder at your site, please send mail

to cert-advisory-request@cert.org.



Past CERT publications, information about FIRST representatives, and

other information related to computer security are available for anonymous

FTP from info.cert.org.



- ------------------------------------------------------------------------------



Copyright 1995 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.







=============================================================================

UPDATES



1) We have received information that some tools that convert PostScript to

   other formats break when the SAFER option is the default, as recommended

   in Section III.C above.



   The problem is that these tools need the PostScript /file directive

   that is disabled when the SAFER option is made the default.  To this end,

   there is a fix from Joern Tellkamp (tellkamp@informatik.uni-hamburg.de),

   provided by DFN-CERT that defines an UNSAFER option to ghostscript.

   By default, ghostscript with the fixes listed in Section III.C above

   sets the SAFER option.



   The following patch changes the SAFER option to the UNSAFER option.  By

   default, SAFER is on but it can be turned off with the -dUNSAFER option to

   ghostscript.  This, too, is applied to the original gs_init.ps file.



                        Begin UNSAFER Patch

- ------------------------------------------------------------------------------



*** gs_init.ps          Fri Aug 25 10:42:51 1995

- --- gs_init.ps.unsafer  Fri Oct 20 13:57:37 1995

***************

*** 66,72 ****

     currentdict /OUTPUTFILE undef

   } if

  currentdict /QUIET known   /QUIET exch def

! currentdict /SAFER known   /SAFER exch def

  currentdict /WRITESYSTEMDICT known   /WRITESYSTEMDICT exch def



  % Acquire environment variables.

- --- 66,72 ----

     currentdict /OUTPUTFILE undef

   } if

  currentdict /QUIET known   /QUIET exch def

! currentdict /UNSAFER known /UNSAFER exch def

  currentdict /WRITESYSTEMDICT known   /WRITESYSTEMDICT exch def



  % Acquire environment variables.

***************

*** 299,308 ****

  /.run /run load def

  /run /run0 load def



! % If we want a "safer" system, disable some obvious ways to cause havoc.

! SAFER not { (%END SAFER) .skipeof } if

  /file

!  { dup (r) eq

      { file }

      { /invalidfileaccess signalerror }

     ifelse

- --- 299,308 ----

  /.run /run load def

  /run /run0 load def



! % If we want an "unsafer" system, enable some obvious ways to cause havoc.

! UNSAFER { (%END UNSAFER) .skipeof } if

  /file

! { dup (r) eq 2 index (%pipe*) .stringmatch not and

      { file }

      { /invalidfileaccess signalerror }

     ifelse

***************

*** 309,315 ****

   } bind odef

  /renamefile { /invalidfileaccess signalerror } odef

  /deletefile { /invalidfileaccess signalerror } odef

! %END SAFER



  % Create the error handling machinery.

  % The interpreter has created the ErrorNames array.

- --- 309,315 ----

   } bind odef

  /renamefile { /invalidfileaccess signalerror } odef

  /deletefile { /invalidfileaccess signalerror } odef

! %END UNSAFER



  % Create the error handling machinery.

  % The interpreter has created the ErrorNames array.

- ------------------------------------------------------------------------------

                        End UNSAFER Patch



   Once applied, all of the aforementioned tools need to be changed to add the

   -dUNSAFER option to the rest of the arguments given to gs, the ghostscript

   interpreter.



2) We received a report that adding any of the above-mentioned patches

   may cause the gs interpreter to fail (in version 2.6.0). Should this

   be the case, changing '.stringmatch' to 'stringmatch' fixes this problem

   (see below).  Upgrading to ghostscript version   2.6.1 also will address

    the problem.



        If you have a problem with



             ! { dup (r) eq 2 index (%pipe*) .stringmatch not and



        change to



             ! { dup (r) eq 2 index (%pipe*) stringmatch not and



3) Since it is unknown at this time whether the Macintosh and DOS/Windows

   versions of ghostscript are vulnerable, we suggest that you apply the

   patch.



4) Version 3.33 with appropriate patches will address the vulnerabilities

   outlined in advisory CA-95:10. As of Nov. 8, 1995, the most recent release

   of ghostscript is Version 3.51.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Sep. 23, 1997  Updated copyright statement 

Aug. 30, 1996  Information previously in the README was inserted

                into the advisory, with editing in the Updates section.

Nov. 08, 1995  Updates section - added SAFER and UNSAFER patches and

                instructions for applying them. Included a note for Macintosh

                and DOS/Windows users. Noted a recent release of ghostscript

                version 3.51.









-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTAvlr9kb5qlZHQEQJmsgCeLsz0J0T8UcNtEMdZpOdV9cM3jIMAninC

+KTh6sgDv5g1qIZYAeNYVR3a

=N38d

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.