79637 2002-10-01 17:09 /284 rader/ Marc Bevand <bevand_m@epita.fr> Importerad: 2002-10-01 17:09 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <1722> Ärende: ASA-0000: GV Execution of Arbitrary Shell Commands ------------------------------------------------------------ "After" Security Advisory Title: GV Execution of Arbitrary Shell Commands Affects: gv-3.5.8 and probably older versions Advisory ID: ASA-0000 Release Date: 2002-10-01 Author: Marc Bevand <bevand_m (at) epita.fr> URL: http://www.epita.fr/~bevand_m/asa/asa-0000 --oOo-- 0. Table of Contents 0. Table of Contents 1. Introduction 2. Problem 3. Solution 4. Conclusion 5. References 6. Attached files --oOo-- 1. Introduction GV [0] is a PostScript and PDF previewer available on many unix systems and even on some non-unix systems. Technically, it is a user interface for Ghostscript [1], which is a PostScript and PDF language interpreter. GV is also able to automatically decompress GZip'ed [2] files on-the-fly before reading them. When GV detects that the document is either a PDF file or a GZip compressed file, it executes some commands with the help of the system() function. Unfortunately, these commands contain the filename, which can be considered as untrusted user input. It is then possible to distribute a file (with a meticulously choosed filename, that can even seems innocent) that causes execution of arbitrary shell commands when it is read with GV. --oOo-- 2. Problem GV detects PDF files or GZip compressed files by reading the first bytes of datas: o when "%PDF-" is read, GV assumes it is a PDF file and call system() with the following argument (default value of the GV.gsCmdScanPDF X11 ressource): "gs -dNODISPLAY -dQUIET -sPDFname=%s -sDSCname=%s pdf2dsc.ps -c quit" The 1st "%s" corresponds to the PDF filename, and the 2nd to a temporary filename. o when "\037\235" or "\037\213" is read, GV assumes it is a GZip compressed file and call system() with the following argument (default value of the GV.uncompressCommand X11 ressource): "gzip -d -c %s > %s" The 1st "%s" corresponds to the GZip compressed filename, and the 2nd to a temporary filename. In these conditions, trying to open, for example, a PDF file named "xxx & echo hello & xxx" leads to execution of "gs -dNODISPLAY -dQUIET -sPDFname=xxx & echo hello & xxx ...". Thus, "echo hello" (a part of the filename) is executed: $ file "xxx & echo hello & xxx" xxx & echo hello & xxx: PDF document, version 1.2 $ gv "xxx & echo hello & xxx" --> hello sh: xxx: command not found GS>hello sh: xxx..tmp: command not found The error messages ("sh: xxx: command not found", etc) are just results of the garbage introduced in the system() argument by the unusual "xxx & echo hello & xxx" filename. Moreover, GV displays a dialog box explaining that execution of Ghostscript failed. But all these "inconvenients" (from the malicious user point-of- view) can be easily avoided. Imagine a site where each host access a file server through the mount point "/sgoinfre", and suppose that someone (Charly) creates 2 files in this directory: o a PDF file named 'Huhu_"`source evil`".pdf' (doublequotes and backquotes are part of the filename) o a shell script named 'evil' that contains: #!/bin/sh echo '"`source evil`"' touch _it_works_ Now, here is what happens if someone else (Alice) wants to read the PDF file: $ cd /sgoinfre $ gv 'Huhu_"`source evil`".pdf' All works fine for Alice (no error messages, no dialog box), except that she hasn't realized that 'evil' has been executed under her identity: $ ls -l _it_works_ -rw------- 1 alice users 0 Jul 30 05:56 _it_works_ Note: this example works only if the /bin/sh shell executed by system() supports the 'source' builtin; that's the case when /bin/sh is a link to bash. --oOo-- 3. Solution The GV maintainer, Johannes Plass <plass (at) thep.physik.uni-mainz.de>, has been e-mailed twice about this problem. Unfortunately, no response has been received, it seems that he has stopped his work on GV since 1997. However, I propose a temporary fix: the attached patch ("asa-0000.gv-3.5.8.patch"), done against GV 3.5.8, checks if the filename contains only allowed characters (alphanumeric and ``+,-./:=@\^_''). If this is not the case, an error message is displayed and system() is not called. --oOo-- 4. Conclusion GV contains a security hole allowing execution of arbitrary shell commands. Since the author seems to have stopped his work on GV, a temporary fix has been developped: see the attached patch done against GV 3.5.8. --oOo-- 5. References [0] GV http://wwwthep.physik.uni-mainz.de/~plass/gv/ [1] Ghostscript http://www.cs.wisc.edu/~ghost/index.html [2] GNU Zip http://www.gzip.org --oOo-- 6. Attached files The following file is also available at: http://www.epita.fr/~bevand_m/asa/asa-0000.gv-3.5.8.patch ---8<------------------ asa-0000.gv-3.5.8.patch ------------------------- diff -ur gv-3.5.8.orig/source/file.c gv-3.5.8/source/file.c --- gv-3.5.8.orig/source/file.c 1997-06-07 00:00:00.000000000 +0200 +++ gv-3.5.8/source/file.c 2002-09-26 23:56:00.000000000 +0200 @@ -285,6 +285,22 @@ } /*############################################################*/ +/* file_nameIsDangerous */ +/*############################################################*/ + +char *file_charsAllowedInName = "+,-./:=@\\^_"; + +int +file_nameIsDangerous(fn) + char *fn; +{ + for (; *fn; fn++) + if (!isalnum(*fn) && !strchr(file_charsAllowedInName, *fn)) + return(1); + return(0); +} + +/*############################################################*/ /* file_pdfname2psname */ /* If the file ends in .pdf, change this to .ps.*/ /* Return pointer to temp copy if changed, else to input string. */ diff -ur gv-3.5.8.orig/source/file.h gv-3.5.8/source/file.h --- gv-3.5.8.orig/source/file.h 1997-04-26 00:00:00.000000000 +0200 +++ gv-3.5.8/source/file.h 2002-09-26 23:28:38.000000000 +0200 @@ -70,6 +70,14 @@ #endif ); +extern char *file_charsAllowedInName; + +extern int file_nameIsDangerous ( +#if NeedFunctionPrototypes + char * +#endif +); + extern char* file_pdfname2psname ( #if NeedFunctionPrototypes char * /* name */ diff -ur gv-3.5.8.orig/source/ps.c gv-3.5.8/source/ps.c --- gv-3.5.8.orig/source/ps.c 1997-06-07 00:00:00.000000000 +0200 +++ gv-3.5.8/source/ps.c 2002-09-27 00:29:35.000000000 +0200 @@ -420,6 +420,16 @@ char cmd[512]; char s[512]; filename_unc=file_getTmpFilename(NULL,filename_raw); + if (file_nameIsDangerous(filename)) + { + INFMESSAGE(the filename is dangerous) + sprintf(s, "The filename \"%s\" is dangerous: only alphanumeric " + "characters and \"%s\" are allowed.\n", + filename, file_charsAllowedInName); + NotePopupShowMessage(s); + ENDMESSAGE(psscan) + return(NULL); + } sprintf(cmd,cmd_uncompress,filename,filename_unc); INFMESSAGE(is compressed) INFSMESSAGE(uncompress command,cmd) @@ -491,6 +501,16 @@ char cmd[512]; char s[512]; filename_dsc=file_getTmpFilename(NULL,filename_raw); + if (file_nameIsDangerous(filename)) + { + INFMESSAGE(the filename is dangerous) + sprintf(s, "The filename \"%s\" is dangerous: only alphanumeric " + "characters and \"%s\" are allowed.\n", + filename, file_charsAllowedInName); + NotePopupShowMessage(s); + ENDMESSAGE(psscan) + return(NULL); + } sprintf(cmd,cmd_scan_pdf,filename,filename_dsc); INFMESSAGE(is PDF) INFSMESSAGE(scan command,cmd) ---8<------------------ asa-0000.gv-3.5.8.patch ------------------------- (79637) /Marc Bevand <bevand_m@epita.fr>/-----------