<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Dear List,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’m writing on behalf of the Check Point Vulnerability Discovery Team to clarify this issue. Here is our advisory and the specific timeline:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Check Point Software Technologies - Vulnerability Discovery Team (VDT)<o:p></o:p></p><p class=MsoNormal>http://www.checkpoint.com/defense/<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>GhostScript 8.70 and lower stack overflow<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>INTRODUCTION<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ghostscript is an interpreter for the PostScript language and the Portable Document Format (PDF). <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>There exists a vulnerability within the parser function that when properly exploited can lead to remote comprimise of the vulnerable system, both thru client-side exploitation (using applications like Imagemagick) or server-side exploitation (using cups printer daemon). For both cases<o:p></o:p></p><p class=MsoNormal>there is a working exploit to be shared with interested parts.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This vulnerability was confirmed in the following GhostScript versions:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>8.70<o:p></o:p></p><p class=MsoNormal>8.64<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>DETAILS<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>A remote attacker could entice a user to open a specially crafted PostScript file (client-side exploitation scenario) or just print the file (server-sie exploitation scenario), possibly resulting in the execution of arbitrary code with the privileges of the user running the application or the printer daemon.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Different Unix vendors and Linux distributions are vulnerable to that due to the usage of the vulnerable GhostScript version.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The following test was made on a PCBSD 8.0 default install. There is a working exploit for the vulnerability to test the exploitability in different systems. Propolice protection mitigates this vulnerability.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>$ gs --version<o:p></o:p></p><p class=MsoNormal>8.70<o:p></o:p></p><p class=MsoNormal>$ gdb gs<o:p></o:p></p><p class=MsoNormal>...<o:p></o:p></p><p class=MsoNormal>...<o:p></o:p></p><p class=MsoNormal>(gdb) r crash.ps<o:p></o:p></p><p class=MsoNormal>...<o:p></o:p></p><p class=MsoNormal>Program received signal SIGSEGV, Segmentation fault.<o:p></o:p></p><p class=MsoNormal>[Switching to Thread 29201140 (LWP 100125)]<o:p></o:p></p><p class=MsoNormal>0x2897774e in memcpy () from /lib/libc.so.7<o:p></o:p></p><p class=MsoNormal>(gdb) bt<o:p></o:p></p><p class=MsoNormal>#0 0x2897774e in memcpy () from /lib/libc.so.7<o:p></o:p></p><p class=MsoNormal>#1 0x28178cb4 in scan_token () from /usr/local/lib/libgs.so.8<o:p></o:p></p><p class=MsoNormal><span lang=PT-BR>#2 0x41414141 in ?? ()<o:p></o:p></span></p><p class=MsoNormal><span lang=PT-BR>(gdb) x/i $pc<o:p></o:p></span></p><p class=MsoNormal><span lang=PT-BR>0x2897774e <memcpy+30>: repz movsl %ds:(%esi),%es:(%edi)<o:p></o:p></span></p><p class=MsoNormal><span lang=PT-BR>(gdb) i r $esi $edi<o:p></o:p></span></p><p class=MsoNormal>esi 0xbfbfd118 -1077948136<o:p></o:p></p><p class=MsoNormal>edi 0x414142d9 1094795993<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We can use the Cupsd to trigger the vulnerability in the gs process.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>$ lp -d hpdskjet crash.pdf<o:p></o:p></p><p class=MsoNormal>$ grep crashed /var/log/cups/error_log<o:p></o:p></p><p class=MsoNormal>D [08/Mar/2010:18:01:10 -0500] [Job 11] PID 33428 (gs) crashed on signal 11!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>WORKAROUND<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Upgrade to GhostScript version 8.71.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>TIMELINE<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>14/Jan - Vulnerability discovered<o:p></o:p></p><p class=MsoNormal>February and March - Communications with the Vendor (Artifex)<o:p></o:p></p><p class=MsoNormal>28/Mar - First request for a CVE entry<o:p></o:p></p><p class=MsoNormal>12/Apr - Communication with RedHat and other vendors (Ubuntu, FreeBSD and others)<o:p></o:p></p><p class=MsoNormal>10/May - CVE assigned (CVE-2010-1869)<o:p></o:p></p><p class=MsoNormal>11/May - Check Point issued an IPS update to protect its customers<o:p></o:p></p><p class=MsoNormal>12/May - After seen the Check Point advisory, Dan Rosenberg published the issue to the mailing lists<o:p></o:p></p><p class=MsoNormal>12/May - Clarified with Dan that the vulnerabilities are the same. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>CREDITS<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This vulnerability was discovered and exploited by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'>Best Regards,</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'>Rodrigo.</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'>--<br>Rodrigo Rubira Branco<br>Senior Security Researcher<br>Vulnerability Discovery Team (VDT)<br>Check Point Software Technologies</span><o:p></o:p></p></div></body></html>