Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAPGxrc_yrmXsGOs_nRLJoqP=sTPRnjsnxL=ts=E5Vj-UxT_VhQ@mail.gmail.com>
Date: Sat, 29 Apr 2017 19:24:09 +0800
From: redrain root <rootredrain@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-8291 ghostscript remote code execution

nope~
I know this issue is a type confusion similar to your initialized dsc
parser
for example
The last previous vulnerability code exists in the
zinitialize_dsc_parser(). The method gets the memory data using
dict_memory() and treats it as an object to call its gs_alloc_struct()
method.
in the Evince code execution demo,  uses ghostscript (libgs.so) as the .ps
file processor
and another demo attack imagick is the shell command injection vuln.

and CVE-2017-8291 is a part of my exploit last year it also affect some
programs use ghostscript
that's why I use Evince as the example.

Regards,
redrain



2017-04-29 13:36 GMT+08:00 Tavis Ormandy <taviso@...gle.com>:

> On Fri, Apr 28, 2017 at 7:43 PM, redrain root <rootredrain@...il.com>
> wrote:
> >
> > what a awkward??
> > I have discovered a part of my vulns about ghostscript last year and
> > exploited in fulldisclosure early!
> > and these vulns are part of mine I was going to discovered these in
> defcon
> > or other conference...WTF...
> > u guys are logo designer???
> >
> > there are two demos last year
> > Evince Arbitrary Code Execution https://youtu.be/wzcrHXngfcM Attack
> Imagick
> > through Ghostscript https://youtu.be/tPGm_ANDyOw
> >
>
> I don't think so, that is CVE-2016-7976 and is entirely unrelated to
> the issue being discussed, other than superficial similarity of the
> exploit.
>
> That issue was reported by me, and we discussed the ImageMagick and
> evince attack vectors at the time, you can check the archives if
> you're interested.
>
> http://seclists.org/oss-sec/2016/q4/29
>
> This issue (CVE-2017-8291) is a type confusion vulnerability (well,
> technically two vulnerabilities), and was found in the wild.
>
> Tavis.
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.