[prev in list] [next in list] [prev in thread] [next in thread]
List: best-of-security
Subject: BOS: gs hole + patch
From: Julian Assange <proff () suburbia ! net>
Date: 1995-09-11 3:29:56
[Download RAW message or body]
Here's the description of the hole that I mentioned in my previous
e-mail, which was a CC of a message that I was posting to the Linux
security list.
I CC'd the 'mgetty' list because we were discussing, and trying to
compile a list of, software that calls Ghostscript (both "safely" and
"unsafely") and I had mentioned that 'faxspool' calls it (safely) to do
file-conversions. Since there may be people out there FAXing files that
they have received from the outside--thus opening themselves up to this
vulnerability--this is of interest here as well.
(Any users of the WWW that view remote Postscript files are of course
*very* vulnerable!)
The easiest way to demonstrate the problem is to view the following
Postscript file with either Ghostview or Ghostscript. Even the
"-dSAFER" option (which Ghostview v1.5 passes to Ghostscript by default)
does not prevent the file-write:
%!PS-
(%pipe%echo hacker@rogue.site >> /tmp/foo) (r) file
quit
Replace /tmp/foo with /.rhosts (or use Postscript's getenv capabilites
to write to ~/.rhosts) and you quickly see the dangers...
One fix (thanks go out to Olaf Kirch for this) is to patch the
gs_init.ps file in your Ghostscript library area in the following
manner:
--- gs_init.ps.orig Sun Aug 20 23:22:01 1995
+++ gs_init.ps Sun Aug 20 23:22:46 1995
@@ -302,7 +302,8 @@
% If we want a "safer" system, disable some obvious ways to cause havoc.
SAFER not { (%END SAFER) .skipeof } if
/file
- { dup (r) eq
+ { exch dup /..fname exch def exch
+ dup (r) eq ..fname (%pipe%*) .stringmatch not and
{ file }
{ /invalidfileaccess signalerror }
ifelse
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | jeff.uphoff@linux.org
Charlottesville, VA, USA | http://linux.nrao.edu/~juphoff/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic