************************************************************************** Security Bulletin 9537 DISA Defense Communications System September 29, 1995 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/disn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/disn-security-9531). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-35 Release date: 19, Sept 1995, 3:30 PM EDT (GMT -4) SUBJECT: ghostscript Vulnerability. SUMMARY: There is a vulnerability in older versions of ghostscript (gs) that enables users to execute commands to create or delete files. This problem involves the -dSAFER option and is present in all versions of ghostscript from 2.6 through 3.22 beta. BACKGROUND: ghostscript is an interpreter for the PostScript language. PostScript was designed for the expression of graphical data, and is widely used for transferring images and preformatted text. The language includes primitives for file operations which are used for the expression of images, but could also be used to embed malicious file creation or deletion commands within PostScript files. ghostscript recognizes the command-line option: "-dSAFER". This option is intended to disable the file operations and the %pipe PostScript operator that could be used for malicious purposes. Older versions of ghostscript do not completely disable the pipe operator, however, and the option -dSAFER does not provide full protection. This problem is present in all versions of ghostscript between 2.6 (when the %pipe operator was added) and 3.22beta (when a fix was made). IMPACT: Malicious code inserted into a PostScript file can cause commands to be executed to create or delete files on any system where that PostScript file is viewed with ghostscript. RECOMMENDED SOLUTIONS: (A) Fix the -dSAFER PostScript code or (B) install version 3.33 of ghostscript, and (C) enable the - -dSAFER option as the default. A. Fixing the -dSAFER PostScript code. The following fix is in the form of "diff" output, which is suitable for use with the GNU patch program. This patch brings the code into conformance with the version of gs_init.ps distributed with the latest version of ghostscript (3.33) and can be applied to the GNU versions 2.6, 2.6.1, and 2.6.2. The file to be patched is in the ghostscript library. As an example, gs_init.ps could be installed in: /usr/local/lib/ghostscript/gs_init.ps Here is the patch: - ------------------------cut here-------------------------------- *** gs_init.ps.orig Fri Aug 25 10:42:51 1995 - --- gs_init.ps Fri Aug 25 11:16:24 1995 *************** *** 302,308 **** % If we want a "safer" system, disable some obvious ways to cause havoc. SAFER not { (%END SAFER) .skipeof } if /file ! { dup (r) eq { file } { /invalidfileaccess signalerror } ifelse - --- 302,308 ---- % If we want a "safer" system, disable some obvious ways to cause havoc. SAFER not { (%END SAFER) .skipeof } if /file ! { dup (r) eq 2 index (%pipe*) .stringmatch not and { file } { /invalidfileaccess signalerror } ifelse - ------------------------cut here-------------------------------- The key is to change the line that says: { dup (r) eq to one that says: { dup (r) eq 2 index (%pipe*) .stringmatch not and Here are the relevant lines in the gs_init.ps file for version 2.6.2 of ghostscript before the patch: 302 % If we want a "safer" system, disable some obvious ways to cause havoc. 303 SAFER not { (%END SAFER) .skipeof } if 304 /file 305 { dup (r) eq 306 { file } 307 { /invalidfileaccess signalerror } 308 ifelse 309 } bind odef 310 /renamefile { /invalidfileaccess signalerror } odef 311 /deletefile { /invalidfileaccess signalerror } odef 312 %END SAFER Here are the same lines after the patch has been applied: 302 % If we want a "safer" system, disable some obvious ways to cause havoc. 303 SAFER not { (%END SAFER) .skipeof } if 304 /file 305 { dup (r) eq 2 index (%pipe*) .stringmatch not and 306 { file } 307 { /invalidfileaccess signalerror } 308 ifelse 309 } bind odef 310 /renamefile { /invalidfileaccess signalerror } odef 311 /deletefile { /invalidfileaccess signalerror } odef 312 %END SAFER B. Installing version 3.33 You may wish to install Aladdin Ghostscript version 3.33. The latest version of ghostscript is version 3.33 and is available at the locations noted below. This version of ghostscript is provided by Aladdin Enterprises and is subject to their licensing agreements. Please read the "Aladdin Ghostscript Free Public License" (included in the source code distribution) which differs from the "GNU Public License." Please note that this version is not the GNU version. The latest GNU version, which is version 2.6.2, does not fix this problem. ftp://ftp.cs.wisc.edu/pub/ghost/aladdin/ghostscript-3.33.tar.gz MD5=28b78ab052dff21639c4b97051323e49 ftp://ftp.cs.wisc.edu/pub/ghost/aladdin/ghostscript-3.33jpeg.tar.gz MD5=b7dd9064dd57db8fccc306f5e4528d99 Optionally, you may need the font files for this release. They are available at these locations: ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-std-3.0.tar.gz MD5=fe7377bb155496828a328624ae80149d ftp://ftp.cs.wisc.edu/pub/aladdin/ghostscript-fonts-other-3.0.tar.gz MD5=afe46faf7fde6518ae004a7e8d9a4af4 C. Making -dSAFER the default To make -dSAFER the default mode for ghostscript for all versions of ghostscript starting with version 2.6, the file gs_init.ps must again be changed. The PostScript commands which check the actual interpreted command are collected in one single if statement in the gs_init.ps file. By commenting out the begin and end lines of this if statement, the check is always applied meaning that the -dSAFER option is always enabled. NOTE: If you make this change, all file and %pipe operations are disabled and cannot be re-enabled. The lines which must be changed are: 303 SAFER not { (%END SAFER) .skipeof } if and 312 %END SAFER These two lines should be commented out and made to look like this: 303 % SAFER not { (%END SAFER) .skipeof } if and 312 % %END SAFER If you are using ghostscript 2.6.2, the code will look like the following when both patches noted above are installed: 302 % If we want a "safer" system, disable some obvious ways to cause havoc. 303 % SAFER not { (%END SAFER) .skipeof } if 304 /file 305 { dup (r) eq 2 index (%pipe*) .stringmatch not and 306 { file } 307 { /invalidfileaccess signalerror } 308 ifelse 309 } bind odef 310 /renamefile { /invalidfileaccess signalerror } odef 311 /deletefile { /invalidfileaccess signalerror } odef 312 % %END SAFER <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST would like to thank the CERT Cooridnation Center, DFN-CERT, and NASIRC for information contained in this bulletin. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/ institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided. ASSIST Contact Information: PHONE: 800-357-4231, COMM 703-607-4700, DSN 327-4700. ELECTRONIC MAIL: assist@assist.mil. ASSIST BBS: COMM 703-607-4710, DSN 327-4710, leave a message for the "sysop". FAX: COMM 703-607-4735, DSN 607-4735 ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital signature mechanism for bulletins. PGP 2.6.2 incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt, and through the world wide web from http://net-dist.mit.edu/pgp.html. In accordance with the terms of that license, PGP 2.6.2 may be used for non-commercial purposes only. Instructions for downloading the PGP 2.6.2 software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW 3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9 0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9 O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg== =d5rP - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMF8ZkdH6sbnW3Io9AQEjBAP/U+Y/zSWpE4J3Vutg1ZqTfwAmd2rGfJ6O W7fEUN6gUH6/SqRyuWWmtb2R/XnolEuybp6Lvm8xO616nuajXWFOQ9w56L1LLfkS kCewc8SDbvG6B8veNAGV4k6Cxa4vgus8HEkK9BDAr75pMkaP60krdYzeGneUYu8u S2MIV7tHLMo= =6fI9 -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.